May 2020 Volume LV Number 3


Litch's Law Log

November 2019 Volume LIV Number 6

Data Privacy Protection: The Impact of  GDPR
While most pediatric dental offices have heard of  compliance practices based on the federal HIPAA law, few have probably heard of the General Data Protection Regulation (GDPR). Adopted by the Eu- ropean Union Parliament in 2016 and effective since May 2018, this regulation mainly impacts for-profit corporations who maintain data on European customers, and non-profit associations that have mem- bers in the European Union (EU). However, the impact may spread.1
GDPR applies to any organization that maintains data on just one EU-based individual. Violation of  the regulations can be as high as $24 million, or up to four percent of  global revenue. This has caused associations like the AAPD to take notice, even though associations do not usually maintain highly sensitive personal data on members or contacts, and also have a much more positive reputation than entities such as credit collection companies. While GDPR is targeted at large companies, associations still need to make a good faith effort to comply to the fullest extent possible. GDPR can also be applicable where there are meetings and events in the EU, or customers/sponsors/exhibitors in the EU.
GDPR covers both processors and controllers of  personal data, also known as personally identifiable information (PII). Individuals have the right to access their personal data, including a new ""right of erasure"" or ""right to be forgotten"", which as the terms imply means erasure/deletion of  personal data. There are also data breach report- ing obligations similar to breach notification requirements for covered entities and business associates under HIPAA.
What does GDPR compliance mean? That all processing of personal data must be lawful, meaning:
  • Data subject has given consent.
  • Processing is necessary for legitimate interest.
  • Processing is necessary for performance of  a contract to which data subject is a party.
  • Processing is necessary for compliance with legal obligations.
  • Processing is necessary to protection vital interests of  the data subject or another person.
  • Processing is necessary for performance of  a task carried out in the public interest or in the exercise of  official authority."
For associations, the key GDPR implication has been development of  a data consent form for EU residents (this is courtesy of  the AAPD's outside law firm, Barnes and Thornburg):
By clicking on "I Accept" below, you are providing Association with your express consent for your per- sonal data to be used as follows:
  • Association uses the data you provide to it to ser- vice your membership, to inform you of Associa- tion’s products, services, conference, and events, and for such other purposes which are within the scope of Association’s exempt purpose and mis- sion; and
  • Association shares the data you provide to it with vendors and other third parties in order to pro- cess your request including online purchase and conference registration, to inform you of products and eservices which may be of interest to you, and for such other purpose as Association may approve from time to time.
For more information regarding your personal data rights, please review the Association Privacy Policy located at: (Visit AAPD’s at:
The GDPR structure requires the organization to determine if  data use is based on legitimate interest or consent. Usually it's a legitimate interest to an association for internal use of  PII provided by members and customers, but requires consent as to third party use- when information leaves the organization (such as mailing list rentals or providing attendee lists to exhibitors). Informed consent must be an ""opt in"", and specific, unambiguous, and plainly worded. Organiza- tions also need to designate a Data Protection Officer which can be an existing position in senior management as AAPD has done. AAPD has worked directly with our association management software company, ACGI, to ensure compliance in terms of  the AAPD membership database system.
You might ask if the EU can actually enforce GDPR in U.S. courts. The answer is YES.
Do health care providers need to be concerned? For larger health care systems, including academic health centers, GDPR could apply in situations such as: a research sponsor or vendor collecting personal data from individuals in the EU; a research clinical trial recruiting individuals within the EU (as opposed to an EU citizen living in the U.S.); or a U.S.-based health care system using an EU-based cloud storage system with subjects' data transferred to the EU-based storage site.
Finally, other countries are looking at GDPR-type laws, and California has already moved forward with a similar law. They passed the California Consumer Privacy Act of  2018, AB-375, which brings" some of  the EU protections to California residents on Jan. 1, 2020. Only larger organizations are covered under the California law: those having annual revenues of  at least $25 million or retaining personal information of  at least 50,000 California residents, households, or devices. The law does not apply to non-profit organizations.
Since GDPR only went in to effect in 2018 and the California law is not effective until 2020, it is still too early to determine the scope of  enforcement impact on organizations in the U.S. Note that some larger corporations, including the Los Angeles Time and Chicago Tribune, decide to shut down all online access to anyone in the EU. However, for associations such as AAPD that have international members, some based in the EU, this is not an approach that will be taken.
For further information contact Chief  Operating Officer and General Counsel C. Scott Litch at 312-337-2169 ext. 29 or
This column presents a general informational overview of  legal issues. It is intended as general guidance rather than legal advice. It is not a substitute for consultation with your own attorney concerning specific circumstances in your dental practice. Mr. Litch does not provide legal representation to individual AAPD members."

"1Thanks to these resources:
Barkan, T. You Know About the GDPR. Now What. Forum magazine, March 2018, pp. 18-20.
Goedert, P., Dunn O’Neal B. Is Your Organization Ready? General Data Protection Regulations (GDPR), Barnes and Thornburg webinar, May 8, 2018.
Raines, H., Laughton, A, Thomas, A. The Broad Reach of  the GDPR: Europe’s New Data Protections and Their Impact on U.S. Health Care Entities. AHLA Connections, January, 2019, pp. 10-15.
Ebner T. Countdown to GDPR. Associations Now, 3-4, 2018, pp. 51-53"
"Williard, B. What Associations Need to Know About GDPR. Forum, October 2018, pp. 32-35."

Click here for a PDF version of this article.