Are you ready for GDPR?

The clock is ticking for businesses to comply with the European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25. Healthcare Europa talks to Aetna International’s CIO Alan Payne to find out what the data handling regulations mean for healthcare insurers and operators, and the challenges on the path to compliance.

With 99 requirements, 12 key steps, and a looming deadline, GDPR is causing operators to stop and carefully examine how they handle data. The regulation is not what many first assumed, says Payne: “Very little of this is to do with technology, it’s policy process and documenting to the regulator that you know where data is stored and if a customer wants to do something you know how. That’s the crux – it’s not a big technology build project.

“I was asked to take over in August last year and there was a dawning realisation we had to be compliant or we’d be in a whole world of hurt. It started off as, frankly, a raft of non-data led concerns, almost panic, we’ve gone into the 99 requirements and 12 key steps and mapped against what we do – and found mostly it’s tweaks to policy or systems that’s needed. It’s been a good mechanism for looking how we deal with data privacy.”

Aetna is taking the process seriously, with twice weekly steering committee meetings and around 100 people – business, “not IT” – working on the project (though only 10 of those do so full time, the rest spending between 25% to 75% of their time on it).

KPMG has been brought in as advisors and have been soft auditing Aetna against the new regulation to test compliance.

The regulations set out a number of rights and obligations, including:

The right to erasure

This is the right which is troubling some operators most – Payne suggests perhaps needlessly. He explains: “I don’t believe these regulations were written with health insurers or operators at the heart of it, I think it was the larger social media companies and search engine companies. The right to be forgotten only applies where you have a relationship that has not created a transaction with that company. If you’re a member, by signing up to receive services on behalf of Aetna / Aetna International, we have rights over your data, and this is immutable, we cannot, by law, delete data that makes up a financial transaction. We’d be contravening sales tax regulations, VAT, corporation tax and a whole raft of other things let alone EU regulations.”

Partial deletion remains a grey area, but the regulator appears to be moving towards the position where it’s all or nothing.

Safeguarding data

Companies must be able to prove they are safeguarding individuals’ data correctly. Payne says: “We only give access to customer data to people who absolutely need it. We also monitor the transactional activity of customer data, and we stop it, if it tries to go outside our borders. We (Aetna Global) scan every outbound and inbound transaction looking for patterns of customer data. We know that when anyone moves anything with a social security number then it has a 3-dash-4 pattern, even in a PDF. Likewise we’ve mapped global ID patterns – we know if there’s a Singaporean ID number being sent.

Training staff

Depending on the extent to which staff handle data, everyone from the front desk to the CEO needs to have varying levels of GDPR awareness training. Payne explains: “It’s an extension of what we already do. We have an e-learning solution with three levels and globally all 50,000 employees of Aetna will be doing a basic GDPR awareness course.

“Third-party administrators and suppliers, people that use our customer data like brokers, need to sign to say they are compliant – we need to go up- and downstream. If they don’t certify, we can’t do business with them.


Data subjects’ consent needs to be “freely given, specific, informed and unambiguous”. In practice, this means operators and insurers will not be able to bury clauses in terms and conditions. Mandates giving permission to handle data must be explicit, opt-in, and obvious.

Payne says: “So you’d need to opt-in to your data being used to help in your care, and if we want to use it for any other purposes, like research, we need to be explicit.”

How this will impact big data and AI learning, if a portion of patients opts out, remains to be seen. Payne adds: “Unless you’ve got a really sophisticated data fabric layer, how do you exclude people from that, and how do you prove that?

“But it’s your data you should decide what companies do with it.”

The legislation is not retrospective.

And in any event, Payne says provisions made now could be superceded: “Blockchain is likely to replace all of this and you will decide at the most intrinsic level what people can see and why, through your iPhone or whatever.”

Other requirements

Among the other requirements added by the regulation are a right to rectify, record keeping requirements (Aetna has appointed a data privacy officer) and the right for subjects to have data portability.

On that last point, Payne says: “The format most insurers have may be proprietary. We can comply with the act in principle, but how do we go beyond offering a PDF when there are no standards? For health records at least, we’ve got FHIR (an electronic health record standard).

Businesses need to take the regulation seriously, says Payne, adding “there’s an opportunity to create an asset out of a liability”.

He adds: “Perhaps the biggest challenge is training and business awareness. And it doesn’t finish on May 25, it has to be embedded in your daily DNA. Privacy is no longer the last thought.

As for the risk of non-compliance, he says: “For a substantial breach it could close a business. But if you look at the Information Commissioner’s Office and the fines it’s ever levied for data privacy breach I don’t think you’d find anything over £500,000.”

And if you are reading this, operating in Europe and currently unprepared? “My strong advice is to go to one of the dozen companies offering advice very quickly, get a plan for how you can be compliant. Even if you are not compliant on the day itself, even though you are expected to be, if you have a storyboard and a valid rationale for how to become compliant, and where the risks are, and how you would deal with the issues, that should assuage the auditors – though I don’t know that for a fact!”

We would welcome your thoughts on this story. Email your views to David Farbrother or call 0207 183 3779.