To assess and, most importantly, certify the compliance of the MHMD system to the data privacy and security constraints and requirements set out in the GDPR, a data protection impact assessment (DPIA) was been recently produced by our legal partner, the Panetta & Associati (P&A) law firm (Rome, Italy) as an additional deliverable in the context of WP2- Regulatory and compliance study, under the name of D2.6 – Privacy-by-design and compliance assessment. The deliverable is freely downloadable HERE.
The MHMD Privacy by design and compliance assessment describes MHMD actors with relevant roles, obligations and responsibilities, personal data categories and processing operations involved, system components (user and hospital interfaces, data catalogue, blockchain architecture model), data usage modalities (i.e., data sharing and secure local computation), data de-identification measures and system security.
The DPIA is a tool especially required in the GDPR when the processing on a large scale of special categories of data takes place and consists of a process for building and demonstrating compliance. It is designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of data subjects which may result from the envisaged operations involving personal data, in order to identify and then adopt the measures which allow the controller to best address such risks. In line with the risk-based approach underpinning by the GDPR, carrying out a DPIA is not mandatory for every processing operation: this is only required where a type of processing, on account of its nature, scope, context and purposes, is likely to result in a «high risk» to the rights and freedoms of natural persons (Art. 35.1).