General Data Protection Regulation (GDPR)

JEANNE MIFSUD BONNICI: Thank you for having me here. I’m Jeanne Mifsud Bonnici. I am a professor of Technology Law and Human Rights at the faculty of Law of the University of Gronigen. My teaching and research thus relates about this relationship between technology, on the one hand, and law on the other side. In this context, I’ve also participated in two online courses, one on the General Data Protection Regulation, and the other on the use of health data in the medical context.

Thank you. That’s a good question. Why? The legislator has made a separation in the GDPR between normal personal data, so our name, our information, and other categories of data that are more sensitive, for example, your political belief. And in this category of sensitive data, there is also health data, or data concerning health. And so we thought this needs more attention because it’s a sensitive category of data.

Processing of sensitive data, or as the law calls it, special category of data, and it tells you already it’s a special category, so we can’t just use it whenever we want. There are situations where we can use it. One situation is where the person whose data we are going to use gives consent. They allow us to use that data. Other situations are when it’s in the interest, vital interest, of that person. So imagine a person has just had a serious accident. They cannot speak. That means, though, still that we can use their data, and we can use the medical situation for their health.

The third, and related to this, is to provide them with healthcare There are some conditions for this, but of course, data is allowed to be used in the healthcare context. Fourthly, and also very importantly, we’re allowed to use some of this health data in the context of research and statistical analysis. Of course, when we’re using this data in any of these situations, we also need to make sure that we’re using it responsibly. So we need to make sure that we don’t have excessive data that we don’t need. Data minimization principle. We also need to make sure that we’re keeping this in a safe way, in a good way.

For example, if we’re using this in research, we need to consider whether we can anonymize this data or pseudonymize this data and also how to encrypt it and keep it safely.

Yes, there is, and indeed, the law takes care of this in different ways. I will focus on two of these, one before we start using this data and one during the use of this data. The first one is a data protection impact assessment. When we’re using a lot of data, it is good to stop, reflect, what will be the effect of using this data on the rights of these data subjects? This process is often referred to as a data protection impact assessment. A second thing is that every institution has what is known as a data protection officer. This person is mostly responsible to see that we do abide by the General Data Protection Regulation.

Indeed, not everything always goes right, and the legislator thought about this too and has made rules on how we deal with a situation like a data breach. If a data breach happens unfortunately, then we need to report. Not months later, but within 72 hours. So there is a very strong obligation to report this quickly. To whom? First, to the data protection officer of the organisation and to the data protection authority of that country. In certain situations, we also need to inform the data subjects, or the people whose data has been breached and possibly made public.

We offer two courses online, one on the General Data Protection Regulation and one more specifically on data concerning health. Both give a good basis of understanding on how the rules on data work. As a research group, the STeP research group works very closely on these teams, and you can visit our website for our recent publications on this topic.