So far, every medical tourism facilitator I have asked about General Data Protection Regulation ("GDPR") readiness has either not heard about the GDPR or they didn't think the regulations applied to them outside of Europe. Wrong!
Likewise, for healthcare business consultants outside of Europe who solicit medical tourism project assignments that target European tourism authorities, health authorities, economic development authorities, hospitals, doctors, dentists, and clinics are also ignorant about GDPR and are unaware of the regulations or their applicability to businesses outside of Europe. Wrong again!
So simply ignoring GDPR isn’t an option — unless your business can afford losing up to 4 percent of your global revenue for the previous year. I guess that's not much of a loss for the medical tourism facilitators who have a website and no business, or consultants who are just starting out and don't have any revenues to speak of. Why not do the math on the back of a napkin to see if it is worth reading any further for you.
Brands that don’t comply by May 25 may receive GDPR fines immediately. That goes for marketers in USA, Canada, India, Mexico, Thailand, on the Asia side of Turkey, and every other location where medical tourism marketing originates.
Start with lists you compile and use for marketing, in CRMs, and newsletters.
So lists are where the pain begins. The GDPR impacts medical tourism sellers, consumers, and investors and software companies across the technology landscape. The new regulations go into effect as of May 25, 2018, and are expected to have especially profound implications for the businesses who include advertising technology ("adtech") in their marketing strategies. Adtech broadly refers to different types of analytics and digital tools used in the context of advertising... like Google AdWords and Facebook Ads, and so much more. Discussions about ad tech often revolve around the extensive and complex systems used to direct advertising to individuals and specific target audiences.
So for those of you who have been mindlessly blasting your marketing and promotion to the whole world thinking there's going to be a mad rush to your website to buy what you sell, there's your silver lining. But for those of you who did a branding exercise and determined your targeted ideal consumers and now point your promotion directly at targeted potential buyers of your medical tourism products through Facebook Ads, Google AdWords, and other adtech outlets and systems, GDPR will apply to you. That's just another cost of doing business in medical tourism.
Adtech involves items like digital banner ads and other conveyance methods for advertising. However, adtech also includes the back-end systems that help direct advertising to a target audience. This can include full marketing platforms and analytics systems, which are the "smart engines" of digital advertising campaigns. For example, Higowell Cloud, the new medical tourism case management and logistics coordination software that was purpose built is GDPR compliant because some of its internal functionality features for facilitators can help organize and maintain data that might be used for analytics and marketing. Some medical tourism sellers promote specific results in SEO strategies using "digital direct mail," which intends to deliver digital messages to just the right people over specific venues and platforms. They will be affected by GDPR.
For companies who might be hired by a medical tourism supplier or marketer to do audience measurement, compliance with GDPR could spark significant changes in methodology and best practices. Are you using Google Analytics? Are you using Cookies on your website? Up until now, the majority of audience measurement has been conducted via site-centric tagging to obtain census-level data. Under the new GDPR rules, each user must separately give consent for each cookie or tag. That means that the resulting data will be at best partial, not to mention the legal challenges involved and the fact that different publishers might implement tags in different ways. And how will you maintain that data if you receive a summons and complaint?
For health and wellness tourism sellers and referral agents who want to understand competitors, website publishers who want to monetize their audience, or to the adtech platforms that fuel ad targeting, the new rules could make it significantly more difficult to execute data deals, obtain data without explicit user content, and utilize industry-standard tools like cookies on your website. Since I don't monetize my blog articles with banner content, I don't have to worry there. I have cookies on my website, but my vendor who manages my cookies has already updated my code and data management to be compliant. We don't use the cookies except to tailor the viewing experience because I eliminated certain things from my website that are implicated under GDPR. To get past the cookie notice, one must click to consent. And if they don't consent, they must leave my site immediately. Those are the terms and conditions.
Unlike all the medical tourism sellers who advertise to me via emails describing their product without knowing if I care, and not having opted onto their mailing list, I am hopeful that those emails will trickle down under GDPR. Too many medical tourism brands have exploited their customers’ and website visitors' data. They've sold or traded email lists; they've opted customers and website visitors in for dozens of improper unauthorized email communications; and not provided a "way out" for consumers who are not interested or where the messages and touts are irrelevant. Health and wellness tourism sellers should not be marketing to website visitors who fill in forms and make inquiries who haven’t given them their consent. And in case you weren't aware, most consumers fill in on average 14 different forms when shopping for a medical tourism supplier - including facilitators and directly with suppliers, but are eventually going to pick one to work with. If they didn't pick you, you didn't get consent to borrow their contact details, and you are not in a direct transaction with them, and you don't offer an opt out at the end of each and every email - you are at risk for GDPR violation.
- If it’s not clear where your data came from, where it went, what permissions have been granted are or anything else that violates GDPR, it may be time to scrub your files.
- Document what personal data you hold, where it came from and who you share it with. You cannot pass data from one party to another (not just medical records) without the patron's consent.
- Under the GDPR, medical tourism sellers must provide EU residents with the ability to access, correct and erase their data, as well as allow them to move it to another service provider if they so choose. So you'll need some sort of transmittal form to document this and a way to maintain it.
- In the USA, if you are HIPAA compliant, you already have procedures in place to detect, report and investigate a personal data breach. If you are not HIPAA compliant and thought you weren't a Covered Entity under HIPAA, you may have thought you had a pass. Well, under GDPR you'll need this set of procedures whether you are required to be HIPAA compliant, or not.
- Someone in your company, no matter how large or how small must responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. Since most medical tourism facilitators are a one person company, plan to get up earlier each morning or stay up later each evening to fit this duty in until you can afford to hire help. you'll need to design a data protection impact assessment ("DPIA"). The GDPR requires organizations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU resident personal data. This calls for a high level of transparency of both the process, as well as data landscape. If you get to this stage, you might as well start thinking about ISO 9001-2015 certification of your business as a facilitator, because this orientation to documentation is what is expected anyway by consumers, reasonable or not.
- Oh and one last thing for those of you who advertise that your facilitator services are "free" to the consumer because you get paid a kickback from the medical tourism supplier: Any “processing” of EU citizens’ personal data falls under these rules, even if they haven’t bought any products or services from you. Even if you give them something for free.
This is where the rubber meets the road
A health and wellness tourism product or destination entry and launch or a medical tourism facilitator business is a failure when its presence in the market leads to, inter alia:
- the withdrawal of the product from the market for any reason
- the inability of a product to realize the required market share to sustain its presence in the market (numerous examples exist on six continents)
- the inability of a product to achieve the anticipated life cycle as defined by the organization due to any reason. or,
- the ultimate failure of a product to achieve profitability
So in closing, if you are in a health and/or wellness tourism business that is successful and you have global revenues, GDPR compliance deadlines serve as an opportunity to get your act together, even when third parties are managing your data. Otherwise, set up a fund for legal expense and your fines now.