Risks involved with processing health data

Processing personal data may lead to risks to the rights and freedoms of persons. Even more so if it concerns sensitive data, like health data. The GDPR provides for legal measures to limit the impact of these risks. It provides data subjects with rights and controllers and processors with obligations. The GDPR requires controllers to take (organisation specific) technical and organisational measures depending on the severity of the risks for the rights and freedoms of persons.

Risks include accidental or unlawful destruction, loss, alteration, unauthorised disclosure and unauthorised access (data breach). A data breach may be internal or external due to the very nature of modern technologies. One of the most well-known external risks are cybercrimes. These risks put a high strain on the IT department of a healthcare institution.

Another risk inherent to modern technologies is the use of health data by individuals. What happens behind the scenes of websites is that digital footprints are tracked and used by profilers to generate profiles which can be sold to the highest bidder. The result of this is most often targeted advertisements. People are mostly not even aware of this.

Finally, also inherent to modern technologies is that data is not limited to countries’ borders. Data can be transferred and stored anywhere in the world. Offering a similar level of protection within the EU is one of the reasons why the GDPR was created. However, when personal data moves across borders outside the EU, there is an increased risk to maintain the high level of protection offered by the GDPR. It might be for example more difficult for people to exercise their data protection rights. This is why the GDPR provides for strict rules for transfer of data outside the EU.