Ensuring GDPR Compliance and Security in a Clinical Data Warehouse: Challenges and Insights from a University Hospital (Preprint)

Abstract

The digital transformation of health data has enabled the utilization of advanced data analytics and Artificial Intelligence (AI) techniques, which are crucial for driving innovation in healthcare. Countries such as France, the UK, Germany, and the US have adopted strategies to secure and ethically manage health data. In France, the Health Data Hub and clinical data warehouses (CDWs) within hospitals are central to this effort. However, the stringent regulatory framework, including the GDPR and French Data Protection Act, presents significant implementation challenges

This paper aims to evaluate the applicability of the French CNIL CDW framework through an experiential analysis of its implementation and operational challenges in university hospitals within the French Great Western region . The study seeks to provide insights into the encountered obstacles and propose areas for improvement to enhance compliance and facilitate research.

A detailed evaluation was conducted in may 2023 at the University Hospital of Rennes (CHU de Rennes) on the compliance of their eHOP CDW with the CNIL framework. The study categorized the framework’s requirements into those applicable to the eHOP software and those relevant to the institution's implementation. Each criterion was assessed by technical managers and data protection officers, with validation by information security officers.

Out of 116 criteria in the CNIL framework, 25 were identified as relevant to the eHOP software, with 15 criteria fully compliant, 7 non-compliant or partially compliant, and 3 not applicable. Institutional responsibilities covered 91 criteria, with several key areas identified as non-compliant or partially compliant, primarily involving security and governance measures. Notably, challenges in data retention management, encryption of sensitive genetic data, and robust authentication mechanisms were highlighted.

The study underscores both the benefits and challenges of implementing the CNIL CDW framework, emphasizing the need for technological and organizational adaptations to meet compliance requirements. Proposed adjustments aim to streamline research processes while maintaining stringent data protection. This evaluation offers valuable insights for other institutions and frameworks aiming to balance rigorous data protection with research and innovation needs. Future research should extend the scope to include multiple institutions and CDW technologies to validate and generalize these findings.