DPIA for Cloud-based Health Organizations in the context of GDPR

European Conference on Cyber Warfare and Security Pub Date : 2023-06-19 DOI:10.34190/eccws.22.1.1144

Dimitra Georgiou, C. Lambrinoudakis

{"title":"DPIA for Cloud-based Health Organizations in the context of GDPR","authors":"Dimitra Georgiou, C. Lambrinoudakis","doi":"10.34190/eccws.22.1.1144","DOIUrl":null,"url":null,"abstract":"The General Data Protection Regulation is the core instrument of the reformed legal framework for personal data protection in the European Union. The GDPR was put into effect on May 25, 2018, and requires assessing and conducting a Data Protection Impact Assessment for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, specifically using new technologies and considering the nature, scope, context, and purposes of the processing. Although GDPR does not precisely specify the types of processing activities for which a DPIA would be necessary, through the guidelines that it provides, the organization should conduct a DPIA, if there is large scale processing of health data. An example of this, is a Cloud-based Health Organization. Taking into account this parameter, that Cloud-based Health Organization processes personal data that could impact the freedoms and rights of a data subject under the GDPR and that the GDPR does not specify a DPIA process to follow, instead it allows organizations to use a framework that complements their existing processes, this paper presents the last two steps of a DPIA study for a Cloud-based Health Organization and provides guidelines on how to carry them out effectively. This study is part of a project for the compliance of Cloud-based Health Organizations with the General Data Protection Regulation 2016/679. For fulfilling the objectives of this study, the PIA-CNIL methodology is applied, which is in accordance with the data privacy impact assessment that has been described in ISO/IEC 29134. The main contribution of this work is the development of a guide that is designed to help Cloud-based Health organizations identify, analyze and reduce data protection risks in relation to their processing activities. More analytically, this research presents the risks that could be materialized by the data processing activities carried out by a Cloud-based Health Organization regarding its Processing Activities and could have an impact on the fundamental rights and freedoms of natural persons.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"70 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Conference on Cyber Warfare and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.34190/eccws.22.1.1144","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The General Data Protection Regulation is the core instrument of the reformed legal framework for personal data protection in the European Union. The GDPR was put into effect on May 25, 2018, and requires assessing and conducting a Data Protection Impact Assessment for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, specifically using new technologies and considering the nature, scope, context, and purposes of the processing. Although GDPR does not precisely specify the types of processing activities for which a DPIA would be necessary, through the guidelines that it provides, the organization should conduct a DPIA, if there is large scale processing of health data. An example of this, is a Cloud-based Health Organization. Taking into account this parameter, that Cloud-based Health Organization processes personal data that could impact the freedoms and rights of a data subject under the GDPR and that the GDPR does not specify a DPIA process to follow, instead it allows organizations to use a framework that complements their existing processes, this paper presents the last two steps of a DPIA study for a Cloud-based Health Organization and provides guidelines on how to carry them out effectively. This study is part of a project for the compliance of Cloud-based Health Organizations with the General Data Protection Regulation 2016/679. For fulfilling the objectives of this study, the PIA-CNIL methodology is applied, which is in accordance with the data privacy impact assessment that has been described in ISO/IEC 29134. The main contribution of this work is the development of a guide that is designed to help Cloud-based Health organizations identify, analyze and reduce data protection risks in relation to their processing activities. More analytically, this research presents the risks that could be materialized by the data processing activities carried out by a Cloud-based Health Organization regarding its Processing Activities and could have an impact on the fundamental rights and freedoms of natural persons.

查看原文本刊更多论文

GDPR背景下基于云的医疗机构的DPIA

《一般数据保护条例》是欧盟个人数据保护法律框架改革后的核心工具。GDPR于2018年5月25日生效，要求对可能对自然人权利和自由造成高风险的处理操作进行数据保护影响评估，特别是使用新技术并考虑处理的性质、范围、背景和目的。尽管GDPR没有精确规定需要DPIA的处理活动类型，但通过其提供的指导方针，如果存在大规模的健康数据处理，组织应该进行DPIA。这方面的一个例子是基于云的医疗组织。考虑到这一参数，基于云的医疗机构处理的个人数据可能会影响数据主体在GDPR下的自由和权利，并且GDPR没有指定要遵循的DPIA流程，而是允许组织使用补充其现有流程的框架，本文介绍了基于云的医疗机构DPIA研究的最后两个步骤，并提供了如何有效执行这些步骤的指导方针。本研究是基于云的医疗组织遵守《2016/679通用数据保护条例》项目的一部分。为了实现本研究的目标，采用了PIA-CNIL方法，该方法符合ISO/IEC 29134中描述的数据隐私影响评估。这项工作的主要贡献是制定了一份指南，旨在帮助基于云的卫生组织识别、分析和减少与其处理活动有关的数据保护风险。从更深入的分析角度来看，这项研究提出了基于云的卫生组织就其处理活动开展的数据处理活动可能带来的风险，并可能对自然人的基本权利和自由产生影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Conference on Cyber Warfare and Security

自引率

0.00%

发文量