Compliance Management of GDPR in Healthcare Environment (University Medical Centre Ljubljana Case)

The article presents the starting points and activities of the University Medical Centre Ljubljana before and after European parliament adopted EU Regulation on Personal Data Protection in May 2016. UMC Ljubljana has designed/developed a four-dimensions scheme to help ensure compliance. Thus, we are dealing with the normative level, the procedural level, the technological level and the cultural level. Many of us are involved in the process of dealing with personal data. Many of us are involved in the process of dealing with our personal data, donating personal data, and sometimes selling it to corporations and institutions, at the same time. However, we can be the ones who in our professional environments encounter the personal data of other individuals and look at them, collect them, delete them, in short, process them. The EU regulation on personal data protection (with the "infamous" abbreviation GDPR) brings before us, on the one hand, a fundamental consideration of the nature and role of personal data and, on the other hand, a wealth of challenges, dilemmas, concerns and activities related to this area. The starting point in understanding the protection of personal data is "I am the owner of my personal data". To process personal data, each organization must have a legal basis. The collection and processing must be compliance with legal obligation, personal consent, contractual relationship, legitimate or public interest and protection of the vital interests of the individual. The collection and processing of personal data must be as small as possible and proportionate in regard to the purpose of the collection of the data. The data controller or processor of personal data must protect my data well enough. Thus, we can establish a framework here that gives us a tool in assessing and establishing the field of personal data protection.