ReHyb@Stelar: ReHyb approach on GDPR compliance

14.09.2021 Big data has changed the way we manage and analyze data in the healthcare industry.  Using modern big data techniques can lead to better patient care, an improvement of the quality of life of patients, offer better predictions for difficult to diagnose diseases, and more. For such solutions to work, however, sensitive patient data often need to be collected and analyzed. 

ReHyb aims at the development of an adaptive, personalized, assist-as-needed device which maximizes training efficiency during home-based rehabilitation and supports patients during their activities of daily living. Several of the project objectives require the collection of personal data from users during their daily life with the use of several sensors embedded in their personal as well as in their living space. For a project with such massive personal data collection to work, it needs to abide by local and international laws and regulations.

In Europe, GDPR provides a framework within which solutions dealing with personal data from patients in the European Union need to operate on. GDPR provides data owners with certain rights that need to be respected by any solution wishing to collect personal data. It also provides a set of rules on which personal data collection is permitted. It would make sense to think that GDPR will make the use of personal data by any such project very difficult thereby reducing incentives for private organizations to invest effort and resources in building new solutions which could lead to a decrease in medical innovation for the sake of privacy.

This, however, does not need to be the case. GDPR consolidates data protection in one regulation making it easier for projects to protect their user’s privacy. Moreover, it encourages projects such as ReHyb to take a privacy by design and by default approach when developing their solutions. Data protection can no longer be an afterthought and its core to the system itself. Additionally, by making projects more “privacy forward”, end-users are more encouraged to participate and provide their sensitive data since they are given assurances that their personal data will be protected, and they will be able to remove them if they so wish. This increase in participation can lead to a better product which in turn benefits the patients with more accurate results.

In ReHyb, we employ a privacy-by-design approach from the beginning of the project. We have developed an Ethico-legal framework within which the project will operate. We have identified ethical and legal requirements which need to be followed for the protection of patient safety, the security, and transparency of personal data processing and privacy. We have developed data sharing agreements between the different project partners, as well as informed consent forms, that will be distributed to potential participants where we outline the personal data which will be collected and their different uses. Finally, we are exploring relevant data protection and ethical standards to align the project in addition to compliance with the GDPR.

While compliance to GDPR may seem to be an additional hurdle to cross for projects with high demands in personal data collection, the assurances it can provide to data owners and patients about the safety of their personal data can lead to higher user participation and as such better results. Projects such as ReHyb can benefit by employing a privacy-first approach to data collection.