As part of the LNS Annual Report 2018, we conducted a series of interviews and reports to better present the LNS through its staff and departments. This is the second interview featuring Alice Xavier, lawyer,  followed by the corresponding report. Enjoy your discovery!

On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect. Citizens of the European Union now have greater control over their personal data and assurances that their information is being securely protected across Europe. According to the GDPR, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, a computer IP address or medical information. As a multidisciplinary institute working in the health sector and having a massive amount of personal – and mainly sensitive – data, LNS must comply with the GDPR rules. According to Alice Xavier, lawyer at the LNS until spring 2019, the public institution took many initiatives to improve data protection long before the GDPR came into force.

RECORD OF DATA PROCESSING ACTIVITIES

“Already in 2017, our doctors were invited to an information session given by the CNPD (Commission Nationale pour la Protection des Données) regarding the basics and specific vocabulary of the data protection field”, explained Alice Xavier.

“We also initiated a three-step GDPR compliance process. The first step was to make a record of personal data processing activities by department as prescribed by article 30 of the GDPR (owner, short description, purpose, number of data subjects, categories of data subjects, categories of personal data). We organised about 15 workshops with LNS stakeholders, typically heads of department or other key representatives, and shared questionnaires to prepare for the meeting. Based on the information collected in the questionnaires and during the workshops, we identified the personal data processing activities and classified them according to their risks to establish priori-ties for the next steps. The results were reviewed and validated by LNS stakeholders.”

GDPR HIGH-LEVEL ASSESSMENT AND RECOMMENDATIONS

The second step was to identify high-level gaps with key requirements of the GDPR (e.g., existence of specific policies and procedures, privacy considerations, data management, etc.). “A series of workshops with the LNS stakeholders in charge of legal, compliance and IT – including security – functions enabled us to create a matrix containing the list of key requirement areas from the GDPR with the high-level status of fulfilment at LNS – met, partially met or not met – and the corresponding gaps”, said Alice Xavier. “We then proposed an action plan with practical recommendations grouped by priorities and based on lessons learned, healthcare industry and best practices as well as a roadmap for implementing these recommendations. The results of the workshops, the GDPR matrix, the recommendations and the roadmap were summarised in a final report.”

APPOINTMENT OF A DATA PROTECTION OFFICER

“After the validation of the report, we appointed an external data protection officer (DPO) to help us carry out the recommendations and to address the most critical risks before the entry into force of the GDPR”, added Alice Xavier. “2018 was a crucial year to put in place governance and accountability measures, including presenting the recommendations and first steps of the DPO at the board, defining high-level procedures, describing the roles and responsibilities within LNS and setting up staff training sessions in French, English and German. These sessions aimed to ensure that each staff member has the same level of understanding of the GDPR rules
(what is a personal data, what are the rights of patients1, what to do in case of data breach, etc.), is aware of their individual responsibility for data protection and will apply high-level procedures efficiently.”

“For 2019, our main targets will be hiring an internal DPO, further strengthening our cybersecurity environment and going in deep with more technical procedures”, concluded Alice Xavier. “Data protection compliance is constant teamwork.”