Skip main navigation

General Data Protection Regulation (GDPR)

Introduction to the General Data Protection Regulation (GDPR). Interview with a legal expert of the University of Groningen.
JEANNE MIFSUD BONNICI: Thank you for having me here. I’m Jeanne Mifsud Bonnici. I am a professor of Technology Law and Human Rights at the faculty of Law of the University of Gronigen. My teaching and research thus relates about this relationship between technology, on the one hand, and law on the other side. In this context, I’ve also participated in two online courses, one on the General Data Protection Regulation, and the other on the use of health data in the medical context.
Thank you. That’s a good question. Why? The legislator has made a separation in the GDPR between normal personal data, so our name, our information, and other categories of data that are more sensitive, for example, your political belief. And in this category of sensitive data, there is also health data, or data concerning health. And so we thought this needs more attention because it’s a sensitive category of data.
Processing of sensitive data, or as the law calls it, special category of data, and it tells you already it’s a special category, so we can’t just use it whenever we want. There are situations where we can use it. One situation is where the person whose data we are going to use gives consent. They allow us to use that data. Other situations are when it’s in the interest, vital interest, of that person. So imagine a person has just had a serious accident. They cannot speak. That means, though, still that we can use their data, and we can use the medical situation for their health.
The third, and related to this, is to provide them with healthcare There are some conditions for this, but of course, data is allowed to be used in the healthcare context. Fourthly, and also very importantly, we’re allowed to use some of this health data in the context of research and statistical analysis. Of course, when we’re using this data in any of these situations, we also need to make sure that we’re using it responsibly. So we need to make sure that we don’t have excessive data that we don’t need. Data minimization principle. We also need to make sure that we’re keeping this in a safe way, in a good way.
For example, if we’re using this in research, we need to consider whether we can anonymize this data or pseudonymize this data and also how to encrypt it and keep it safely.
Yes, there is, and indeed, the law takes care of this in different ways. I will focus on two of these, one before we start using this data and one during the use of this data. The first one is a data protection impact assessment. When we’re using a lot of data, it is good to stop, reflect, what will be the effect of using this data on the rights of these data subjects? This process is often referred to as a data protection impact assessment. A second thing is that every institution has what is known as a data protection officer. This person is mostly responsible to see that we do abide by the General Data Protection Regulation.
Indeed, not everything always goes right, and the legislator thought about this too and has made rules on how we deal with a situation like a data breach. If a data breach happens unfortunately, then we need to report. Not months later, but within 72 hours. So there is a very strong obligation to report this quickly. To whom? First, to the data protection officer of the organisation and to the data protection authority of that country. In certain situations, we also need to inform the data subjects, or the people whose data has been breached and possibly made public.
We offer two courses online, one on the General Data Protection Regulation and one more specifically on data concerning health. Both give a good basis of understanding on how the rules on data work. As a research group, the STeP research group works very closely on these teams, and you can visit our website for our recent publications on this topic.

To learn more about the General Data Protection Regulation (GDPR), we have turned to legal expert Jeanne Mifsud-Bonnici.

Jeanne is a Professor in European Technology Law and Human Rights at the University of Groningen, the Netherlands. She is also involved in the FutureLearn course on Understanding the GDPR and educator of the course on Protecting Health Data in the Modern Age: Getting to Grips with the GDPR.

In this video, we ask her to explain why the GDPR is so relevant for the implementation of AI in healthcare. Want to know more about the GDPR? Don’t hesitate to take these FutureLearn courses as well!

This article is from the free online

How Artificial Intelligence Can Support Healthcare

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education