Relevance and cost of the Data Protection Officer in healthcare organizations

By | Sunday January 22nd, 2017

The legislation fixes the data protection as a general problem of high priority, and obliges organizations address data protection seriously and consciously, outlining the tools and strategies to get organized coherently and do their part to counter this risky situation. The GDPR defines an approach for the creation of a system in which information security is a default value, constantly maintained since from the design of a process, based on prevention and awareness. One of the main tools to govern this system is the Data Protection Officer – DPO.
According to the best practices, the designation of the DPO should be preceded by a careful analysis. This assessment should highlight the aspects related to responsibilities, conflicts of interest, costs and benefits.
The DPO, in fact, can not hold a position in the company which could lead him to a conflict of interests (GDPR Sect.4, Art. 38). In particular, he can not be responsible for activities that contribute to the definition and management of security policies on data processing. Therefore, he is not eligible to hold a role with direct responsibility on data protection policies.
The responsibility for the protection of personal data is on the Controller (GDPR, Art.24) and on Processor (GDPR, Art. 82).
The DPO must be a subject that possesses a high-level view. He can be an employee of the organization or an external regularized via a specific contract (WP29 Guidelines on Data Protection Officers, Art. 2.4).
However, the adoption of a DPO can depend on factors such as company size, the existence of the required skills already within the organization, the experience and the internal culture of privacy.
In healthcare companies of a certain size and in which there is greater culture and awareness on data protection, the choice of a Data Protection Officer must fall on any existing internal subjects, who possess the skills gained over the years in health care, and in possession of specific certifications for the government of data protection.
The DPO is a significant actor that performs multiple functions (GDPR, Art. 39):

– inform and advise the actors who perform the treatment of their obligations in data protection;
– monitor regulatory compliance, in particular with GDPR and specific rules on personal health data;
– activate the Controller and Processor to perform Data Protection Impact Assessment and monitor the performance (GDPR, Art. 35);
– cooperate with the Data Protection Supervisor: the DPO is the interface to request official opinions and reporting data breach.

DPO plays in a strategic position: he must be an authoritative figure who must inspire confidence within the company and externally. Not a mere figurehead, but an actor prepared able to understand regulations and technologies, with long experience and able to know relate properly: a key player in the growth of the organization.
The cost of a Data Protection Officer in an healthcare organization can start from 80,000 EUR / year, plus any resources needed for its sustainability within the company. To perform its tasks, in any case the DPO will exploit the existing resources.
Not to define the DPO involves penalties of up to 10 million eur (GDPR, Art. 83 paragraph 4).
Despite not having a direct responsibility for the management of data protection policies, it is very likely that the DPO owns a civil and contractual liability towards the company on which it depends, because the activities provided by him have direct impact on the processes and the general degree of compliance.

Anyway, it’s impossible to acquire the skills of a DPO with a three or four-day training course. So, the health organisations must choose this actor knowingly.

Category: Data Protection Officer Tags: , ,

About Giampaolo Franco

Giampaolo Franco, degree in Computer Science, Certified Information Security Manager (CISM). Dr. Franco has more than 10 years of experience in governance, risk management, and compliance at Azienda Provinciale per i Servizi Sanitari (APSS, the main healthcare provider of the Autonomous Province of Trento). He is involved in several activities at APSS, including business continuity and disaster recovery, risk analysis, privacy compliance, awareness, internal / external audits, incident management, optimization and quality control of IT processes. Previous work experiences include project management, analysis and programming for several financial institutions. He has also been a consultant for the University of Trento, working in a project aimed to define organizational and security aspects related to the introduction of integrated models of digital teaching in school. Dr. Franco continues to pursue research, education and awareness activities related to information security for the Public Administration with remarkable passion and leadership. He is a member of the ISACA VENICE Chapter, Oracle Community for Security and contributor of Europrivacy. In 2016 he's the winner of the European Institute of Innovation & Technology - EIT Digital pre-incubation programme with a project on Art&Technology.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.