MyHealthMyData (MHMD): Deliverable 2.6 - Privacy-by-design and compliance assessment

This deliverable represents the data protection impact assessment (DPIA) of the MHMD project. It has been produced to assess and certify the compliance of the MHMD system to the data privacy and security constraints and requirements set out in the GDPR. 

The DPIA is a tool especially required in the GDPR when the processing on a large scale of special categories of data takes place and consists of a process for building and demonstrating compliance. It is designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of data subjects which may result from the envisaged operations involving personal data, in order to identify and then adopt the measures which allow the controller to best address such risks. In line with the risk-based approach underpinning by the GDPR, carrying out a DPIA is not mandatory for every processing operation: this is only required where a type of processing, on account of its nature, scope, context and purposes, is likely to result in a «high risk» to the rights and freedoms of natural persons (Art. 35.1).

The MHMD Privacy by design and compliance assessment describes MHMD actors with relevant roles, obligations and responsibilities, personal data categories and processing operations involved, system components (user and hospital interfaces, data catalogue, blockchain architecture model), data usage modalities (i.e., data sharing and secure local computation), data de-identification measures and system security.