Our services – Risk management

The risks relating to the protection of personal data and privacy arise from threats which, if they materialise, could have on one hand a high impact on your organisation, and on the other, on the fundamental rights of individuals whose personal data is processed under your responsibility.

It is therefore essential to assess and manage these risks methodically and objectively.

What is our data protection risk management service?

  • We act as a neutral, experienced observer to help you identify, analyse and assess your risks.
  • We bring you our multi-disciplinary expertise in information security, data protection and legal compliance, to ensure a comprehensive approach to identifying your risks.
  • European legislation requires that individuals whose sensitive data you process (health data, genetic data, in particular) be consulted on the nature of the potential impact and damage of disclosure, misuse, compromise or loss of their data. We act as a trusted intermediary between you and patient associations representing the populations included in the studies in your clinical development plan, or users of the healthcare system, to carry out this consultation.
  • The potential impacts identified in this process, considering types of population, can be used as a basis for your future Data Protection Impact Assessments (DPIAs) and to rationalise their results.
  • We’ll help you choose and implement the risk analysis method that’s best for you.
Contact us

Risk based data protection and privacy management : the cornerstone of compliance.

 

What risks do you face?

The risks linked to the protection of personal and health data are :

  • The loss of confidentiality resulting from illegitimate access to personal data;
  • The loss of integrity resulting from inaccuracy or unwanted modification of personal data;
  • The disappearance of personal data resulting from their unwanted destruction or their temporary or permanent unavailability;
  • The violation of the individuals’ fundamental right to control their personal data: information, access, rectification, the right to be forgotten, limitation or opposition, not to be the subject of an automated decision, etc,
  • The violation of your organisation’s legal or contractual obligations.

 

What threats are involved?

The sources of threats can be internal or external, acting maliciously or inadvertently, or through negligence, ignorance or underestimation of the legal and contractual requirements to which your organisation is subject, or of the controls it has set itself.

A source of threat can exploit vulnerabilities, whether technical or organisational, and materialise risks. It can significantly increase the risk of a data breach within your information systems, in those of your contractors, or through transit, or in the infrastructure you have implemented. When the vulnerability is of a legal nature, it may significantly increase the risk of a breach of your legal or contractual obligations with the individuals whose data you process or towards your partners.

 

Why a risk-based approach to compliance?

You need to identify the threats and vulnerabilities that could compromise the personal and health data you process or the rights of data subjects. You should analyse their potential impact and estimate the likelihood of their occurrence.

This exercise will enable you to prioritise your compliance action plan by focusing first on the risks with the greatest impact and the highest probability of occurrence.

What are the potential impacts of risks?

 

For individuals concerned and the protection of their personal data, the potential impact may be all the more critical in the case of vulnerable individuals: age group, type of illness, possible benefits and risks of participating in the study, nature and historical or prospective depth of the data collected, possible dependence on relatives or carers, capture of outpatient data, genetic data, etc.

The impact of risks to personal data is most often material or moral, for example a denial of access to a job or housing or cyber harassment resulting from an identity theft or from the misuse of health data.

For your organisation, the materialization of risks can mean negative financial outcomes (administrative penalties and/or compensation for damage caused), operational burden (injunction to stop data processing operations by a data protection authority), or reputational damages (loss of trust with patients, your partners or your investors).

Data protection risks analysis methods

Here are a few reference methods for analysing information security risks:

  • ISO 27005:2022: information security, cybersecurity and privacy – guidance on managing information security risks.
  • The EBIOS Risk Manager method, the French benchmark recommended by the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), a method that helps organisations identify and understand their own digital risks.
  • The CNIL method in France, based on EBIOS and adapted to the specific context of PIA (Privacy Impact Assessment), or DPIA (Data Protection Impact Assessment).

Why choose ?

 

We offer a turnkey risk management service: providing expertise, appropriate tools, and our knowledge bases, acting as a trusted intermediary with the individuals affected by your data processing, and providing tailored support.

The approach we propose streamlines and optimizes the risk analysis process, ensuring compliance with regulatory requirements while saving time by capitalizing on the development of your own knowledge base as your risk management progresses.

Alcoam by Design is a consulting firm dedicated to DPO, audit, and data protection consulting services in the healthcare sector. Our sole focus is on delivering these services. Our growth is based exclusively on “word of mouth,” which requires us to conduct each assignment with professionalism.

Alcoam by Design has established internal rules for managing its client portfolio and services to prevent any potential conflicts of interest or obligations.

Our other services for the protection of health data

Internal or data processoraudit

Find out more >

Training in health personal data privacy

Find out more >

DPO/DPD

Data Protection Officer DPO

Find out more >

And other tailored services to discover

You can put your trust in us to meet your need for compliance in personal data protection and privacy in the health area:

Do you have a specific question related to data protection in the heath area? Ask us your question, and we will be happy to answer it at no cost to you.
Would you like to be put in touch with a member of our customer or partner network, to receive confidential feedback on our services?
Would you like to know more about our company: our working methods, tools and knowledge base, our ability to meet your needs and projects?

Get in touch

All the terms of our discussions are regulated by our personal data protection and privacy policy.

31 Av. Mirabeau, 78000 Versailles
France
+33 (0)1 84 73 20 89

Contact us
Linkedin-in