DPO profile : Alexandra Turbellier, DPO at the Fondation Santé Service

We had the privilege of interviewing Alexandra Turbellier who spoke about her career and her vision of the DPO profession at the Fondation Santé Service.

— How to make people aware of the RGPD within the main operator of home hospitalization in France and Europe?

— In what way is the dual function of Attaché to General Management and of DPO an asset?

— What are the issues related to personal data compliance in an organization that manages sensitive data?

Because the experience of a Data Protection Officer can inspire others, because we believe that sharing best practices allows organizations to save time and compliance to gain ground, every month, we give the floor to one of them.

‍

Can you look back on your journey that led you to be the DPO of your organization?

‍

I have spent my entire career in the field of Health, whether in large hospital groups or at the Regional Health Agency. I joined the Santé Service Foundation almost 4 years ago now as an assistant to the General Management.

Because of my experience in this sector of activity and my transversal vision of the Foundation's organization, the Director General naturally asked me to take up the position of DPO in 2018. Since then, I have divided my working time between my functions within the General Management and those of DPO in a structure of 1,200 employees.

‍

In terms of organization: how were you able to identify and mobilize relays internally? ‍

‍

Our structure is particular, with in particular entities that are geographically remote throughout Ile-de-France. We have hospital branches located in 27 establishments in the region, with coordinating nurses who collect all the administrative and medical information necessary to care for our patients at home, three health centers that each cover a geographical area of the region and which take care of the patients who live there, not to mention our own pharmacy in Villeneuve-la-Garenne and our headquarters in Levallois-Perret. Given the time allocated to my DPO functions, and the geographical spread of our structure, it quickly seemed necessary to set up governance by structuring a network of operational referents by profession within each site. To do this, I set up numerous workshops with each of the functional departments, which aimed to help me build our treatment register. Very naturally, through these workshops, operational references were identified in each field of activity. At the care sites, for example, I contacted people from Management, Care and Quality as well as administrative managers in parallel. This collaboration was only possible because each of these relays chose to agree to work alongside me. We succeed in carrying out real teamwork with these 23 people who are our privileged contacts in the field. I bring together all these referents twice a year. Their mission is to provide information on the implementation of a new tool or new data processing on their site, to identify and locate personal data within their management, to ensure that only strictly necessary data is collected and processed... They must also ensure the implementation of storage and archiving periods and the security of information collected from patients but also from our employees.

I also work closely with the CISO and the CIO and this collaboration has been strengthened with the implementation of impact assessments (AIPD). We also decided to associate them with my Copil (composed of representatives of each department) and thus created a body called “Copil data protection and security”, which meets twice a year, and helps me define the strategy. Finally, I work a lot with our legal manager, in particular to ensure that the contracts/agreements concluded with our external service providers comply with the required standards in terms of security, confidentiality and protection of the personal data processed.

‍

What obstacles did you encounter and how did you overcome them?

‍

As soon as we have a certification as a health institution, with the Haute Autorité de Santé, healthcare teams have always been well aware of the confidentiality and protection of data. I have encountered very few obstacles in this process. However, the RGPD was initially perceived as a binding regulation and an obstacle to the realization of future projects within the Foundation. I immediately understood that I needed the support of the functional departments so that the message could then be relayed in the field within the teams. So I very quickly set up my steering committee, which brought together all the departments to show them that I was at their side in order to help them implement this compliance. I had to demonstrate to my interlocutors that they had, in front of them, someone with solid expertise and that they would therefore have little workload.

The fact that I am attached to the Directorate-General played a key role. This allows me to have a perfect knowledge of the projects, to be able to integrate privacy by design more easily and to make recommendations beforehand, to have this privileged link with all departments and to have been accepted.

The financial argument and the reputation of our establishment in the event of non-compliance were also two arguments that had a strong impact on them, especially for a Foundation that processes sensitive data such as health data.

To be credible, I wanted to show them that the DPO acted as a pillar, a conductor, was there, present to help them. I therefore formalized each treatment sheet myself, through the establishment of workshops. While the foundation is very active, the subjects of concern are multiple and the time was lacking for my interlocutors to deal with the RGPD. Thus, I arrived at them with a successful work, which they only had to validate. This allowed me to obtain their trust and their collaboration later, especially in the implementation of AIPDs. Today, I would say that the RGPD is now accepted, the organization is more fluid and I am contacted at the outset of projects.

“The bet has been won and I am convinced that one of the keys to this success lies in the strong investment of the DPO at the beginning of the project, with great support from the general management.”

‍

Why did you choose the Adequacy solution?

Initially, we had a tool that did not sufficiently meet the requirements required to carry out our compliance. So I asked several service providers to change the tool. Infhotep supported me in the initial implementation of the RGDP and helped me build my treatment register through the organization of the workshops I already mentioned. When I wanted to change my tool, the Adequacy solution seemed to me to be the one that best met our expectations. The tool is clear, very intuitive and above all very complete. It brings together dashboard, action plan and AIPD in one place. Finally, it allows me to make a complete inventory of the progress of our compliance. The Adequacy solution is also highly appreciated by all of our employees for its ease of use.

The Infhotep team offers a real support service and has specific and specialized skills, especially in the field of health. She has always listened and was able to develop the tool and adapt to our specific needs.

‍

What is your vision of the DPO profession and the future challenges concerning the compliance of personal data in an organization like yours?

The GDPR was a real opportunity for organizations. It has made it possible to standardize data protection principles, to strengthen the rights of individuals, and for our field, that of patients. It also made it possible to empower our data controllers who were not necessarily aware of the importance of protecting our data more than they were previously. The DPO therefore plays a key role in a structure like ours, which manages sensitive data.

Ultimately, I see the DPO working jointly with the CISO and the lawyer by forming a true inseparable trio. I am convinced that its role will grow, and it is necessary!

“Organizations will increasingly need his experience, his knowledge of issues, and the link that he allows to make with all departments.”

It seems to me that the function of DPO, just like that of Information System Security Manager, will increasingly be at the heart of the company and its management. Whether for new applications or new services, everything, more or less, will revolve around information systems and new technologies.

The role of the DPO will be strengthened, to frame the use of personal data from the first reflections initiated around a project or a service evolution, but also, increasingly, to challenge the CISO.

“The stronger the relationship of trust created from the start, the better we will be able to cope in the event of a crisis.”

‍

We thank Alexandra Turbellier for the interview she gave us. You can follow and contact Alexandra directly via her Linkedin profile.