GDPR
Europe's data protection regulation, and why it matters to people who will never work in Europe: it set the template most of the world copied — including the parts India deliberately didn't.
In one line
GDPR is the EU's data protection regulation, and its influence vastly exceeds its jurisdiction: it is the template most modern privacy law was written against — including India's DPDP, which copied some of it and deliberately declined the rest.
Why learn it if you work in India
Three honest reasons:
- It reaches you anyway. GDPR applies to processing the data of people in the EU, regardless of where you are. An Indian company handling an EU patient's data is in scope.
- It's the reference implementation. Every subsequent law is written either following it or consciously departing from it. Knowing GDPR makes DPDP legible in an afternoon.
- It defines the vocabulary the whole field now argues in — controller, processor, lawful basis, data subject rights.
The core structure
Roles: a controller decides why and how data is processed; a processor acts on the controller's instructions. The hospital is the controller; your cloud vendor is a processor. The controller carries the accountability, which is why "our vendor said it was compliant" is not a defence.
Six lawful bases — and this is where health people get it wrong most often. Consent is only one:
- Consent
- Contract
- Legal obligation
- Vital interests — the unconscious patient in resus
- Public task — much of public healthcare
- Legitimate interests
The mistake is assuming healthcare runs on consent. Often it doesn't and shouldn't. GDPR's own logic says consent must be freely given — and consent obtained when the alternative is not being treated is not free. So a great deal of clinical processing correctly relies on vital interests, public task, or legal obligation instead. Asking for consent you don't need, and can't honour a refusal of, is worse than not asking.
Article 9 — the part that matters most in health
Health data is a special category. Processing it is prohibited by default and permitted only under specific Article 9 conditions — explicit consent, vital interests, healthcare provision under professional secrecy, public health, or research with safeguards.
That structure — prohibited unless — is the single most consequential thing about GDPR for our field, and it is exactly what India's DPDP does NOT do. DPDP is a general law: your psychiatric history and your food delivery address sit in the same class. Practitioners who learned privacy under GDPR carry the special-category assumption into Indian work and expect protection the statute doesn't supply. That's not a small difference — it changes where your obligations come from.
The rights, briefly
Access, rectification, erasure ("right to be forgotten"), restriction, portability, and objection. Two health-specific realities:
- Erasure is heavily qualified in health. Medical records have statutory retention periods that override a deletion request. You generally cannot delete a clinical record on demand, and telling a patient otherwise is a promise you'll break.
- Portability is where GDPR and FHIR meet: "structured, commonly used, machine-readable" is a legal requirement that a standard happens to satisfy.
The bits people underrate
- Privacy by design and by default — Article 25 makes it a legal obligation, not an engineering preference. The default setting must be the private one.
- DPIA — a Data Protection Impact Assessment is mandatory for high-risk processing, which large-scale health data almost always is. Do it before you build, or explain later why you didn't.
- 72-hour breach notification to the supervisory authority. That clock is short, and it starts when you become aware, not when you finish investigating.
- Fines up to 4% of global annual turnover — the number that made boards care after two decades of directives that didn't.
The honest assessment
GDPR is genuinely good law that produces some ritual — the cookie banner is its most visible and least useful artefact, and it has trained a generation to click "accept" reflexively, which is the opposite of informed consent.
But the core is sound and the influence is real: prohibited-unless for sensitive data, a named accountable controller, and rights that attach to the person rather than the record. Whatever jurisdiction you end up in, those three ideas will be underneath it.