The Data Protection Officer (DPO), is a corporate figure introduced by the General Data Protection Regulation (GDPR), the EU's new law on Data Protection and Privacy matters.
As businesses that often process large quantities of (usually sensitive personal) data, Digital Health Enterprises need to understand if and when to appoint a Data Protection Officer, as well as what duties will he/she be required to perform.
MDR & GDPR: practical tips and tools for health innovators
Do I need a DPO?
Although it may be useful to designate a DPO on a voluntary basis, GDPR only mandates the appointment in some specific cases. This is when:
the data processing is carried out by a public authority or body.
the core activities of the controller or the processor consist of processing operations which [...] require regular and systematic monitoring of data subjects on a large scale.
the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
As a digital health business, you may be concerned in points 2) and 3). So, in order to understand if you need to appoint a DPO, you need to understand the different terms used by the GDPR and check if your business is covered by them.
The Ultimate Guide on GDPR and HIPAA compliance
The Art. 29 Working Party, the EU body tasked with giving opinions on Data Protection matters to EU institutions, clarifies the definitions of "core activities", "regular and systematic monitoring" and "large scale" processing in their Guidelines on Data Protection Officers (‘DPOs’).
What are the DPO's tasks
If appointed, the DPO must work in an independent manner in order to:
Monitor compliance with GDPR: he/she should collect information in order to identify and analyse processing activities and issue recommendations to the controller or the processor.
Assist the Data Controller or Processor with preparing the Data Protection Impact Assessment (DPIA): he/she should advise, for example, on whether or not to carry out a DPIA, what methodology to follow and what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects. Read our blog post about the DPIA.
Record of processing activities: the controller or the processor may give the DPO the task of maintaining the record of processing operations under the responsibility of the controller.
Conduct privacy training for Employees: inform and advise the controller or the processor and the employees on Privacy Matters; Keep up to date with privacy compliance requirements.
How Chino.io helps
If you are not sure whether your data is sensitive, or if you want to reduce potential risks, Chino.io makes it easy to implement pseudonymisation and to use our systems to securely store the most sensitive data.