Background
Apreo Health is a development stage medical technology company, developing innovative, globally applicable treatments for pulmonary disease. Following the development of their airway implant, which aims to treat patients with severe emphysema, the company is preparing for a US clinical trial roll-out and is now trialling the device across the European Union.
Due to their size, Apreo Health did not have an in-house GDPR expert and needed help navigating complex data protection laws across multiple jurisdictions. They contacted The DPO Centre for support in implementing data protection measures and ensuring compliance when controlling and processing sensitive medical data.
Challenges
- EU Data Protection Representation
- GDPR understanding
- Sensitive data handling
Solution
The designated DPO first completed a comprehensive review of Apreo Health’s existing compliance framework, leading to a detailed gap analysis and risk assessment mapped against the GDPR’s 7 principles.
The DPO then supported the development and implementation of tailored policies and procedures, ensuring compliance with the EU GDPR. They defined a structured process for sensitive data handling through completion of a Records of Processing Activities (RoPA), which also helped to identify and mitigate risks.
By providing expert guidance and advice to the wider Apreo team, the DPO was able to elevate staff understanding of the GDPR and other data protection regulations. The DPO continues to act as the company’s EU Data Protection Representative for European data subjects and regulators and regularly reviews the privacy framework to ensure compliance with changing data protection legislation across multiple jurisdictions.
Outcome
Leland Keyt, Vice President of Regulatory Affairs and Quality Assurance at Apreo Health, said ‘The DPO Centre is an understanding and collaborative partner. They understood our constraints and helped develop a data privacy programme that was both GDPR compliant and appropriate for Apreo’s current stage of development. The data privacy programme was developed to grow and mature as Apreo grows and matures.’