GDPR and IoT
The 21st century will be remembered as the time of the consecration of digital and data. Thanks to digital, smart objects (also called IoT) and the interconnection of systems, uses and businesses are greatly facilitated: information is easier, faster. This information, called “data” can be strategic, financial, qualitative as well as quantitative, and sometimes personal, one not incompatible with the other. Personal data is of a variety of natures, and among them is the health data: that which gives information about the past, present and future health of an Individual.
In the healthcare sector, the expansion of digital and connected objects has made a significant contribution to facilitating access to care, improving care more accurately, and advancing research. Let’s take as an IoT example a connected floor which would detect falls in a nursing home room: motion sensors installed on the ground send all the information in real time to an application that records it and generates behavior patterns. Paired to artificial intelligence, the system detects suspicious or non-usual events, an alert is sent allowing caregivers to act quickly. The benefits of this facilitation of data processing are undeniable and address many of the challenges currently faced in the field of care.
Risks and responsibilities
But what would happen if the file or part of this resident's file was deleted, or published on the internet?
In either case, the physical and moral consequences on the person’s life would be considerable.
And who would be responsible?
Would it be the resident? The caregiver? The facility director? The editor or manufacturer of the medical device? The host? The operator?
The data flow
Let's look at the health data circuit collected by our IoT, the connected floor.
- 1. The behaviour data belongs to the resident (1st actor).
- 2. It is generated by the carpet and the connected app associated with it (2nd actors: the editor and/or the designer).
- 3. It passes through other media that may be the medical file for example, a remote monitoring software, or any other tool with which it is useful to share it (3rd actors).
- 4. To make this transit, it goes through an internet link, and often through a wifi system (4th actors : internet operator, box manufacturer, wifi portal editor…).
- 5. Finally, it is stored somewhere in a local data center or at a host (5th actors).
- 6. And then it is checked by the nursing staff (6th actors).
We could have entered more precisely in the circuit, but this illustrates a state of affairs: the data transits, and its journey must be secure because on each stretch of road some impacts can arise.
While it is easy to see the multitude of benefits to this use of personal data, the impact on the individual’s privacy in the event of a change or breach of the confidentiality of the data can be significant. This is why some state and supra-state regulators regularly strengthen the regulatory framework for personal health data.
Consider that each actor mentioned before in one way or another processes the data within the meaning of the GDPR. In this way, each actor is co-responsible or subcontractor of the facility by his contribution to the processing.
What does this mean for the facility director and what are his/her obligations?
The director must meet the obligations and requirements of the GDPR for its structure.
In this sense, he/she needs to know
- what data is being processed,
- why it is being processed, by whom,
- and how it is secure.
But often the systems are connected to external players. If subcontractors or co-processing players appear (see actors above, this is the case if they use external software or have their data housed outside), which is usually the case, the manager will have to ensure compliance and the suppliers will have to provide proof of it.
Let’s take the example of our IoT, the connected carpet, the director will have to make sure that the manufacturer or editor of the solution is GDPR compliant and able to prove it (by its records of processing activities in particular). He/she will also have to make sure that the implemented wifi solution that allows the data to circulate is sufficiently secure, that’s why he/she will make the same approach with this provider.
Your compliance/security check-list
Mapping your data and processing activities if you haven't already done it.
Identify your subcontractors and verify their warranties in order to surround you with trusted providers.
Study the warranties of each new subcontractor and its subcontractors (the host for example in case of a SaaS solution editor).
Assess the compliance of your subcontractors.
Once these last 4 points are well checked, you can relax about the compliance of your project using connected solutions.
Choosing your suppliers and subcontractors is ultimately the most important point of your connected project. Indeed, within the scopes that are beyond your direct control, they are the ones who will ensure that the data is processed safely. But it is your responsibility to demand these guarantees.