The General Data Protection Regulation (GDPR) came into force on May 25, 2018. This regulation requires organizations to comply with the processing of personal data (DCP).
In concrete terms, the regulatory framework requires that when an organization, for example a company, processes personal data, it must record its intervention in a register, define the legal ground for it and assess its impact on privacy. Processing is understood in a very broad sense, and includes the entire data cycle from collection to erasure.
When the text entered into force, great confusion surrounded the role of the DPO and the mandatory nature of his/her appointment. In fact, appointing a DPO is only mandatory for certain organizations, including public authorities and bodies or organizations processing sensitive health data.
At Ventio, Jacques Badagbon succeeded in the PECB exam in May 2021, and obtained the PECB Certified Provisional Data Protection Officer professional title in September 2021, making him probably the youngest certified person in the world.
Review of the role of the DPO, the title of Provisional DPO, and the issues in terms of health data security.
The role of the DPO is at the heart of compliance with the GDPR: he/she exercises an independent advisory role, monitors compliance with the rules defined in the GDPR, and is the privileged contact with the supervisory authority, namely the CNIL in France. The DPO is also able to audit organizations and support the analysis of the impact of treatments on privacy.
The French association of personal data protection correspondents brings together members of the profession in France, allows for the sharing of experience and enacts best practices, particularly in the face of questions raised by new digital technologies.
- Jacques, why did you follow this training to become certified DPO ?
At Ventio, I hold the position of chief information security officer (CISO). Because the processing of sensitive data does not only involve cybersecurity, an area in which I am trained thanks to my Master Networks and Telecommunications, I followed a training course on personal data protection for 5 days and obtained, at the end of the exam, the title of Provisional Data Protection Officer by the certification body PECB. I also supplemented these skills with training on how to conduct audits as well as how to carry out a privacy impact assessment.
- What does it mean to be a Provisional DPO ?
The “Provisional DPO” certification is an intermediate status to the final “Certified DPO” certification which I will be able to claim after two years of experience at Ventio. I will then, over the course of my CISO missions and assisting in the compliance of the cloud services developed at Ventio, put into practice the essential measures when dealing with sensitive data within the meaning of the GDPR (privacy by design, privacy by default, keeping the register, privacy impact assessment, compliance audit, etc.). All this under the supervision of my manager who is a certified DPO according to the CNIL standard.
- What are the challenges for the protection of sensitive health data ?
Hacking of hospitals, major leaks of sensitive data… the news are full of these cyber attacks stories highlighting the vulnerability of health information systems. In mid-September, for example, it was Assistance Publique – Hôpitaux de Paris (AP-HP) which announced that it had been the victim of a cyberattack with the loss of sensitive health data of 1.4 million people who tested for Covid-19 in 2020.
Faced with this threat, the protection of sensitive data is a major strategic issue for this type of structure, and more generally for all organizations that hold and process sensitive health data. Internally, having the technical and legal skills is not always easy due to the specialization of this field and the rapid changes in information technology.
Indeed, being in compliance with the GDPR is based on a continuous improvement process which aims at reducing the risks both for the data subject and organizations. The latter may be sanctioned by the supervisory authority in the event of non-compliance with their obligation leading to a data breach.
Ventio, specialized in the design of secure and privacy-protecting Cloud services can support you in your compliance and instill in your organization good practices for the management of sensitive data. Let’s talk about your projects!