GDPR compliance and cybersecurity: new challenges for the health sector

GDPR: what is it?

Context: personal data, data processing

Let’s put the GDPR (General Data Protection Regulation) in context before going further. The two pillars of the GDPR are the notions of personal data and data processing. But what do they mean in practice?

According to the French Data Protection Authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), personal data are any anonymous data that can be double checked to identify a specific individual (e.g. fingerprints, DNA, or information such as “the son of the doctor living at 11 Belleville St. in Montpellier does not perform well at school”).

For example: a name, a photo, a fingerprint but also an IP address, a computer login identifier, etc.

‍

Processing personal data means “carrying out an operation or a set of operations involving personal data, regardless of the process used (collection, storage, modification, transmission, etc. ).”

For example: keeping a register of subcontractors, managing payrolls, managing information of marketing prospects, etc.

‍

However, let’s be clear: the GDPR is not so much the birth of a regulation on personal data protection.

In France, a legal framework on data processing was set up as early as the 1970s, with the Law on Information Technology and Freedom of 6 January 1978. This gave birth to the CNIL, an independent administrative authority whose main role is to ensure personal data protection. French legislators were already reflecting on data protection more than 40 years ago.

In Europe, too, the issue was debated for several decades. It was in the 1990s when the foundation of the current legal framework was laid. Faced with rapidly changing technologies and the Internet, the EU recognized the need to legislate on these new subjects. In 1995, it passed a European directive on data protection: the European Data Protection Directive. This text established minimum standards in terms of confidentiality and data security.

These examples of national legislation and the European Data Protection Directive served as the basis for the development of the GDPR that we know today.

‍

Creation, implementation, and objectives of the GDPR

Although several European countries, like France, enacted legislation on personal data protection, the issue was only dealt with at the national level. There was no consensus on all aspects of personal data protection. The process of creating the GDPR began when the European Commission decided to take up this important subject in January 2012.

After consultation rounds, the first draft of the regulation was published in November 2013. Then the legislative back and forth started. The text evolved over the course of negotiations between the European Commission, the European Parliament and the Council of the European Union. In April 2016, just two years after the first draft was submitted, the final version of the text we know today was adopted. This is due to the natural inertia of Europe’s cumbersome lawmaking process as well as the importance of the text that was adopted and the participation of various actors: Member States, companies, and citizens.

The GDPR entered into force in 2016 and applies since 25 May 2018. The general objective of the Regulation is to establish a regulatory framework for personal data protection. This framework is extended and applied equally to all EU Member States. It makes it easier for all EU citizens to understand how their data are used and, if necessary, to lodge a complaint about the processing of their data. This objective is summarized in three key points by the CNIL:

• Strengthening the rights of individuals
• Empowering actors involved in data processing (processors and processors);
• Increasing the credibility of regulation through enhanced cooperation between Data Protection Authorities

‍