Abstract
The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.
Highlights
Digital cloud services are affecting the healthcare sector by injecting huge innovation, improving the quality of care, and strengthening the doctor-patient relationship. By their very nature, such services collect and manage a large amount of sensitive data and need to comply with the security and privacy requirements raised by the General Data Protection Regulation (GDPR) [1]
The work presented in this paper focuses on the first two steps of the Data Protection Impact Assessment (DPIA) methodology and on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in
The provision of cloud-based health services involves “high-risk” processing on a high volume of data and the DPIA is a necessary step in order to protect the privacy and the rights of the patients
Summary
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. Digital cloud services are affecting the healthcare sector by injecting huge innovation, improving the quality of care, and strengthening the doctor-patient relationship By their very nature, such services collect and manage a large amount of sensitive (health) data and need to comply with the security and privacy requirements raised by the General Data Protection Regulation (GDPR) [1]. It analyzes the context of personal data processing in a hospital, the purposes of processing, the personal data required for the processing, and focuses on a Gap. Analysis in terms of the issues that must be addressed in order to achieve compliance with the GDPR.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
