The GDPR is a complex piece of legislation. It runs to 99 Articles and almost 200 Recitals. Many digital health companies struggle to understand their GDPR obligations. In this brief series, we will explain some of the important concepts to you and give some examples to help you understand exactly how they affect your business. We will start with one of the important roles, that of data protection officer.
The Data Protection Officer (DPO)
Under GDPR, the data protection officer (DPO) can be thought of as the champion of data subject rights. That is, she is the person upholding the privacy rights of the end users of your application. Article 39 makes it very clear what a DPO must do:
- Inform the company and their staff what their duties are under GDPR and related regulations.
- Monitor their compliance with GDPR, including assigning responsibilities and ensuring staff are appropriately trained
- Providing advice relating to the data protection impact assessment (DPIA) and ensuring the company complies with it.
- Cooperate with the supervising data protection authority.
But what does that mean in practice? Let’s look at a few concrete examples where a DPO will assist you.
Why a DPO is useful
Data Protection Officers are able to help you with any questions or issues relating to data privacy, GDPR, or local privacy laws.
Assessing whether your providers are compliant
Under GDPR, you need to make sure all your providers and contractors are themselves compliant with GDPR. Your DPO can play a key role here, helping you determine what are the requirements and advising you on things like data processing agreements (DPAs). We will look at DPAs in a later blog.
Responding to data subject rights requests
GDPR provides a number of new rights to data subjects (the people whose data you are storing or processing). One of the most important things a DPO can do is help you respond to requests relating to these rights. Two of the rights can be particularly problematic for you: the right of access and the right to be forgotten. In both cases, you need to be 100% certain the person contacting you is the real user. And in the right to be forgotten, you need to assess whether there is some reason why you can’t delete the person’s data. This is tricky in the digital health domain because often there are requirements to store data for medical purposes.
Maintaining your GDPR documentation
There are a number of key documents relating to GDPR. Some of these are mandatory (e.g. privacy policy or records of processing activities) and some are only needed in some cases (e.g. DPIA). In all cases, your DPO can help make sure these are kept up to date. If you change your provider, you will need to update all the documents. Likewise, if you start to collect additional data about users, you will need to update these documents.
When do I need a DPO?
So, now you know what a DPO does. However, what is less clear is exactly when you need to appoint a DPO in the first place. The only definite case is public bodies like hospitals, which always need a DPO. However, GDPR lists two other cases where a DPO is required:
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data.
Obviously, digital health companies are always processing health data (one of those “special categories of data”). So, the question becomes, what is “on a large scale”? And are there other times I need to appoint a DPO? There is some guidance on this, but the answer is far from clear! So, let’s look at some concrete examples.
App collects health data from thousands of users
If your app collects the health data of a large number of users, this will count as large-scale processing. A good benchmark is 10,000+ users. However, in some countries, this number may be lower.
B2B application
Many digital health companies sell backend services to other businesses. For instance, APIs to conduct hearing tests, or eye exams. Often, you will find that your customers ask you to appoint a DPO.
You employ more than 250 people
Larger companies always need to appoint a DPO. It doesn’t matter if you only have one small-scale project in digital health or are only working with a small number of users.
You have users in Germany, and you employ more than 10 people
In Germany, the Neues Bundesdatenschutzgesetz, or new data privacy law, sits alongside the GDPR and gives specific rules relating to appointing DPOs. For instance, any company with over 10 employees that is involved in any form of automated data collection needs a DPO.
Conducting clinical trials or external research
In almost every case, you need a DPO if you are conducting clinical trials. Likewise, many external research bodies will ask you to appoint a DPO. E.g., if you are working on developing machine learning models with a university.
Who can be a DPO?
The GDPR says a DPO needs “expert knowledge of data protection law and practices and the ability to fulfill” the tasks listed above. They should also be as independent as possible to avoid any perceived conflicts of interest. Typically, that means they should report directly to the board/CEO but not have any executive role themselves. However, in small companies, that may not always be feasible.
Interestingly, the DPO doesn’t have to be an employee—you can use an external consultant or lawyer as your DPO. For instance, we offer our customers “DPO as a Service” or DPOaaS. If you want to find out about this, just book a call below.
Our specific advice
We often help digital health companies to decide if they need a DPO. Of course, every case is unique and needs careful analysis. However, we have the following advice:
- Germany is easily the biggest health market in the EU. It also has among the strictest privacy rules of any country. Unless you are a tiny company, you will need an independent DPO to enter this market.
- For many people, there is a clear link between needing a DPIA and appointing a DPO. Indeed, most DPIA templates require your DPO to sign off that they are happy with the risk assessment and controls. Thus, most digital health companies are likely to need a DPO.
- DPOs are invaluable if you want to use the data you collect for research or clinical studies. Indeed, most research organisations carrying out such research on your behalf will insist that you have one.
Contact us below if you want to learn how we assist companies with DPO issues, including our DPOaaS offer.