The GDPR (General Data Protection Regulation) regulates the personal data processing in the European Union. Every company collecting or processing data in the EU must comply with it.
The Regulation requires companies collecting sensitive data such as health data to carry out an impact assessment (or DPIA). The purpose of this is to assess the level of risk to users' rights and freedoms.
The Sunrise impact assessment was conducted by François, QA/RA Manager at Sunrise.
As a Quality and Regulatory Affairs Manager, what are your daily tasks at Sunrise?
My role is to ensure that from design to delivery of Sunrise products at the user's end, we comply with our own standards as well as those imposed by the various regulations to provide safe and efficient products.
This involves product release, risk analysis, review of test protocols and reports and so many documents to ensure end-to-end traceability.
Why did we undertake an impact assessment this year?
In fact, this is one of the obligations imposed by the GDPR. Of course, we had already considered the risks related to data confidentiality in the development of Sunrise. This privacy management is crucial when developing medical software. But this analysis had not been formalised according to the expectations of the GDPR. That is why this year we decided to remedy this, and it also allowed us to review everything to have an up-to-date diagnosis.
What is the purpose of the impact assessment provided for by the GDPR? What kind of authority?
The impact assessment required by the GDPR must determine whether the controls and protection of personal data we have set up are sufficient to safeguard the confidentiality and integrity of our users' data.
How does it work?
To carry out this DPIA, we used software made available by the CNIL, the French independent authority in charge of all issues related to the protection of personal data.
With the cooperation of the software development team, we first describe the process being analysed: what data is used, why, how, how long, etc.
Then we make sure that we use the data in a proportionate and necessary way. In short, we only collect what we need to provide the service to our users and that we have put everything in place to ensure that users have control over their data. Users can find all this explained in our privacy policy which they must accept to use our product.
Finally, a risk analysis is carried out, detailing the threats to the data (unauthorised access, deletion) and the various protection measures that have been set up, whether technical (authentication, encryption, etc.) or organisational (access controls, risk management, etc.). We must be aware that there is no such thing as zero risk. However, we do everything possible to ensure that it is as low as possible.
Once this analysis is complete, it is reviewed by our Data Protection Officer who gives his approval for the data processing.
In concrete terms, what does this mean for users?
For users, this does not change anything in their use of Sunrise.
What about the Sunrise team?
As a result of this DPIA, we have identified areas for organisational improvement that will further strengthen the protection of our users' data. There will be some procedures or training to improve in the next few months.
Thank you François!
