Analysis of the GDPR's Effects on a Medical Application
Permanent address of the item is
Analyysi GDPR:n vaikutuksista lääkinnälliseen sovellukseen
The European General Data Protection Regulation (GDPR) came into full effect in May 2018 after a two-year transition period. The regulation aims to improve the data protection of the citizens of the European Union. The regulation also affects the rest of the world. Although not all the rules introduced by the GDPR are new, the regulation contains novel requirements both regarding data protection and information security level. One of these new requirements is the right of a natural person to be forgotten in certain circumstances. The novelty of the GDPR and in some parts the general wording of the rules contained in the regulation may create difficulties in interpretation for the entities that have to con-form to the regulation’s rules. This thesis examines through the analysis of a medical application, the impact of the regulation on data controllers and software developers dealing with data concerning health. The data protection and information security requirements presented by the GDPR are applied to the analysed application. The application is analysed against the requirements derived from the GDPR with the help of the Software product quality model of the ISO/IEC 25010 standard. Based on the conducted analysis, the application is in a good state regarding the GDPR even when some changes need to be implemented. At this stage, the impact of the GDPR on applications containing data concerning health is not significant if best practices were used to develop the application. The impact of the GDPR lies more in the general approach to managing risks directed at the software since the content and the amount of personal data should be considered in risk management. In addition to the analysis of a medical application, this thesis contains an analysis of the previously existing privacy legislations of the United States, Finland and France. The related privacy laws of these countries are compared to the GDPR so that the content and new additions of the new GDPR would be more apparent.