Skip to main content

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today to talk about the General Data Protection Regulation (the GDPR) which is, I remind you, the reference text in terms of personal data protection and which came into force in the European Union on May 25, 2018.

The question of the day is whether it is possible to implement a data protection impact assessment a posteriori, i.e. once the processing has already begun. The impact assessment is a tool to ensure compliance with the GDPR and is intended for processing operations that could generate high risks for the rights and freedoms of the data subjects, i.e., it balances the security measures implemented by the data controller with the rights and freedoms of the data subjects.

So, in practice, the impact assessment can be done as you wish, but the CNIL provides a software called PIA that allows you to perform your impact assessment in a very clear and simple way. So, you can use this software and it is better for all these reasons to set up the impact assessment before your processing because it will allow you, if you find that some security measures are insufficient or are badly used, to adopt corrections before your processing.

However, the GDPR is not always straightforward so you may have forgotten to implement your impact assessment. If this is the case, there is nothing to stop you from doing it anyway during your processing. This will allow you, if you have corrections to make on certain security measures, to identify and implement them and, otherwise, if you identify a data breach, you can still notify the CNIL to be truly in compliance with the GDPR.

Les personnes qui ont lu cet article ont lu aussi  GDRP : Can the DPO be based outside the European Union?

In conclusion, the impact assessment is preferably set up before the processing, but nothing prevents you from setting it up during your processing if you have not been able to do it before. Please refer to the CNIL website to know in which case you have to set up an impact assessment. And I remind you that this is the responsibility of the data controller with the help of his processor, if necessary.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video and you will find in the information bar information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.{:}

Si tu as aimé cet article, je te remercie de « liker » ou de partager avec tes collègues et amis Attaché de Recherche Clinique :)

Laisser un commentaire