You may think that ensuring compliance with data protection in a large organisation is even harder than in a smaller clinic. However, it can be the complete opposite as you may find yourself having to appoint a Data Protection Officer (DPO) who takes over this role. Whether you need to do this or not will depend on the conclusions of a Data Protection Impact Assessment (DPIA) as per Article 35.
The use of new technologies such as EHR or health apps combined with large quantities of sensitive data such as in the case of a hospital means it is necessary to carry out a DPIA following the advice of a DPO. It is the data controller (doctor or other in charge of the data) who has to instigate this.
Data processors too have to think about a DPIA and if you are developing a health app this means you also have a responsibility:
- “the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9“
When appointing a DPO, whether in the context of a larger clinical setting or app development, you can use the same DPO as other establishments as long as you easy access to that person. They can be part of your staff (and potentially fulfil other functions). You must communicate who your DPO is to the supervisory authority.
Even if a DPO is appointed the data controller is still required to record all the processing activities.