GDPR
Compliance, Privacy & Ethicsarticle · 8 min · updated Jul 17, 2026

GDPR

By Rajendra Sharma, RN, CPC, CPBReviewed by Rajendra Sharma, RN, CPC, CPB · Jul 17, 2026

Europe's data protection regulation, and why it matters to people who will never work in Europe: it set the template most of the world copied — including the parts India deliberately didn't.

GDPR

In one line

GDPR is the EU's data protection regulation, and its influence vastly exceeds its jurisdiction: it is the template most modern privacy law was written against — including India's DPDP, which copied some of it and deliberately declined the rest.

Why learn it if you work in India

Three honest reasons:

  1. It reaches you anyway. GDPR applies to processing the data of people in the EU, regardless of where you are. An Indian company handling an EU patient's data is in scope.
  2. It's the reference implementation. Every subsequent law is written either following it or consciously departing from it. Knowing GDPR makes DPDP legible in an afternoon.
  3. It defines the vocabulary the whole field now argues in — controller, processor, lawful basis, data subject rights.

The core structure

Roles: a controller decides why and how data is processed; a processor acts on the controller's instructions. The hospital is the controller; your cloud vendor is a processor. The controller carries the accountability, which is why "our vendor said it was compliant" is not a defence.

Six lawful bases — and this is where health people get it wrong most often. Consent is only one:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests — the unconscious patient in resus
  • Public task — much of public healthcare
  • Legitimate interests

The mistake is assuming healthcare runs on consent. Often it doesn't and shouldn't. GDPR's own logic says consent must be freely given — and consent obtained when the alternative is not being treated is not free. So a great deal of clinical processing correctly relies on vital interests, public task, or legal obligation instead. Asking for consent you don't need, and can't honour a refusal of, is worse than not asking.

Article 9 — the part that matters most in health

Health data is a special category. Processing it is prohibited by default and permitted only under specific Article 9 conditions — explicit consent, vital interests, healthcare provision under professional secrecy, public health, or research with safeguards.

That structure — prohibited unless — is the single most consequential thing about GDPR for our field, and it is exactly what India's DPDP does NOT do. DPDP is a general law: your psychiatric history and your food delivery address sit in the same class. Practitioners who learned privacy under GDPR carry the special-category assumption into Indian work and expect protection the statute doesn't supply. That's not a small difference — it changes where your obligations come from.

The rights, briefly

Access, rectification, erasure ("right to be forgotten"), restriction, portability, and objection. Two health-specific realities:

  • Erasure is heavily qualified in health. Medical records have statutory retention periods that override a deletion request. You generally cannot delete a clinical record on demand, and telling a patient otherwise is a promise you'll break.
  • Portability is where GDPR and FHIR meet: "structured, commonly used, machine-readable" is a legal requirement that a standard happens to satisfy.

The bits people underrate

  • Privacy by design and by default — Article 25 makes it a legal obligation, not an engineering preference. The default setting must be the private one.
  • DPIA — a Data Protection Impact Assessment is mandatory for high-risk processing, which large-scale health data almost always is. Do it before you build, or explain later why you didn't.
  • 72-hour breach notification to the supervisory authority. That clock is short, and it starts when you become aware, not when you finish investigating.
  • Fines up to 4% of global annual turnover — the number that made boards care after two decades of directives that didn't.

The honest assessment

GDPR is genuinely good law that produces some ritual — the cookie banner is its most visible and least useful artefact, and it has trained a generation to click "accept" reflexively, which is the opposite of informed consent.

But the core is sound and the influence is real: prohibited-unless for sensitive data, a named accountable controller, and rights that attach to the person rather than the record. Whatever jurisdiction you end up in, those three ideas will be underneath it.

References

  1. EU — General Data Protection Regulation (full text)
  2. EU — GDPR Article 9: Processing of special categories of personal data
  3. European Data Protection Board — Guidelines

Related entries