Medical Data is a very sensitive element, whose exposure may bring unexpected risks. Your data is much more exposed than you think, and I am proposing ways to mitigate that.

1. 1
an atos business
How to mitigate the exposure risk in clinical
data
A discussion about the data of health and the health of data
Josema Cavanillas - VP - Head of Health & Life Sciences Sales for Eastern Europe
18/05/2023

3. 3
How did you know?
3
Places you have been to
Past/future bought items
Sports interests
Intended future actions
Culture topics
Pets

4. 4
What else?
4

5. 5
How to mitigate the exposure risk in clinical data
A discussion about the data of health and the health of data
5
Josema Cavanillas
VP - Head of Health & Life Sciences Sales for Eastern Europe
Member of the Atos Scientific Community
Member of the Atos Expert Community

6. 6
We expand
the possibilities
of data and technology,
now and for generations to come.
We are
6

7. 7
A snapshot
• We're a circa €5 billion revenue Atos business that will become
an independent company in late 2023.
• A new digital scale-up where brilliant minds come together to
sustainably expand the possibilities of data and technology.
• We cover 6 areas (Digital Transformation, Smart Platforms,
Cloud, Advanced Computing, Digital Security and Net Zero) in 7
industries,
• We're unique in being able to bring all these capabilities
holistically for our clients with the combination of our own
Intellectual Property (IP) and of the IP of our leading
partners.
57,000 engineers and problem-solvers in
45 countries.
Worldwide #1 in managed security
services
Worldwide #3 and European #1 in high-
performance computing
Visionary In Public Cloud
Leader in Data & Analytics
Deep expertise in technology and data
value chains: 2,100 patents,
50,000+ certifications
7

8. 8
Where the people are
8
57,000 engineers and problem-solvers in 45 countries.
Americas
5,200
30% revenue
Central & Southern Europe,
Middle East and Africa
21,000
47% revenue
Northern Europe and APAC
31,000
23% revenue

9. 9
Our Core Values
We’re one #TeamEviden spread across the world, with a set of values born from our people.
9
We are practical, but we also
know when to take audacious
risks in pursuit of progress.
We have a deep commitment to
sustainability; it’s our responsibility to
use technology to improve the well-
being of people and planet.
We use our curiosity to
transform possibility into reality
and take our work to the next
level.
We foster an inclusive, equitable
community because we’re smarter,
stronger and have more fun
together. We forge trusted
relationships that are built-to-last.
#GrowTogether #DareToTry #DoTheRightThing #StayCurious
1 2 3 4

10. 10
We are at a turning point in business
2
3
1 Digital acceleration
From siloed to blended physical + digital worlds
Fractured world
From globalization to a volatile, multi-polar world
in polycrisis
Ecological challenges
From abundant resources to scarcity, energy and climate
crises
• Data drives business
• Automation/AI needed everywhere
• Digital talent war rises
• Security, resilience,
and sovereignty are becoming
more than ever critical for
survival
• Sustainability is the new imperative
How can you thrive in this new
reality and manage its
business implications?
Our vision: the world has changed

11. 11
Examples of what we do
Accelerating clinical
trials
We worked with a leading
life sciences company to
assess sophisticated sensors
& collect patient data to
accelerate clinical research
& development with digital
biomarkers.
#industries
Complex challenges
require solutions yet to
be imagined
It takes imagination and
inventiveness to make
hard things seem easy for
our clients and their
clients.
11

12. 12
Accessing Medical Data
GDPR
General Data Protection Regulation
Applied in the EU since May 2018
Up to 20 million euro fines
It is a regulation, not a directive

13. 13
Regulation or directive?
A "regulation" is a binding
legislative act. It must be
applied in its entirety across
the EU. For example, when
the EU’s regulation on
ending roaming charges
while travelling within the EU
expired in 2022, the
Parliament and the Council
adopted a new regulation
both to improve the clarity of
the previous regulation and
make sure a common
approach on roaming
charges is applied for
another ten years.
A “directive" is a legislative
act that sets out a goal that
all EU countries must
achieve. However, it is up to
the individual countries to
devise their own laws on how
to reach these goals. One
example is the EU single-use
plastics directive, which
reduces the impact of certain
single-use plastics on the
environment, for example by
reducing or even banning the
use of single-use plastics
such as plates, straws and
cups for beverages.

14. 14
Sanctions according to GDPR
The GDPR has eleven
chapters, concerning general
provisions, principles, rights
of the data subject, duties of
data controllers or
processors, transfers of
personal data to third
countries, supervisory
authorities, cooperation
among member states,
remedies, liability or penalties
for breach of rights, and
miscellaneous final
provisions. Recital 4
proclaims that ‘processing of
personal data should be
designed to serve mankind’.
Potential sanctions:
• A warning in writing in cases of first and non-intentional
noncompliance.
• Regular periodic data protection audits.
• A fine up to €10 million or up to 2% of the annual
worldwide turnover of the preceding financial year in
case of an enterprise, whichever is greater, if there has
been an infringement of the provisions in Article 83,
Paragraph 4.
• A fine up to €20 million or up to 4% of the annual
worldwide turnover of the preceding financial year in
case of an enterprise, whichever is greater, if there has
been an infringement of the provisions in Article 83,
paragraphs 5 & 6.

15. 15
Acceptance & Application
Based on three characters:
The regulation became a model for many other
laws across the world, including in Türkiye,
Mauritius, Chile, Japan, Brazil, South Korea,
South Africa, Argentina and Kenya. As of 6
October 2022, the United Kingdom retains the
law in identical form despite no longer being an
EU member state. The California Consumer
Privacy Act (CCPA), adopted on 28 June 2018,
has many similarities with the GDPR.
Data Subject
Data Processor
Data Controller

16. 16
Characters
me
The natural or legal person, public authority,
agency or other body which, alone or jointly with
others, determines the purposes and means of the
processing of personal data.
Data Subject
Data Processor
Data Controller
The natural or legal person, public authority,
agency or other body which processes
personal data on behalf of the controller.

17. 17
Data Subject’s Data
Personal Data - any
data that can be
used to identify an
individual, such as a
name, home
address or credit
card number.
The 8 rights of the Data Subject:
• to be informed
• to access
• to object
• to erasure or blocking
• to damages
• to file a complaint
• to rectify
• to data portability 17
The GDPR recognizes data concerning health
as a special category of data and provides a
definition for health data for data protection
purposes.
Though the innovative principles introduced by
the GDPR (privacy by design or the prohibition
of discriminatory profiling) remain relevant and
applicable to health data as well, specific
safeguards for personal health data and for a
definitive interpretation of the rules that allows
an effective and comprehensive protection of
such data have now been addressed by the
GDPR.
Processes that foster innovation and better
quality healthcare, such as clinical trials or
mobile health, need robust data protection
safeguards in order to maintain the trust and
confidence of individuals in the rules designed to
protect their data.

18. 18
Differences between “can” and “must”
The lawless land
• 5% of internet
content.
• Findable through
search engines.
• 90% of internet content.
• Not findable through
search engines.
• E-Mails, bank info,
credit card numbers
• Extremely protected
• 5% of internet
content.
• Used for seriously
illegal purposes.

19. 19
Anonymization of Data
A process by which personal data is altered in
such a way that a data subject can no longer be
identified directly or indirectly, either by the data
controller alone or in collaboration with any other
party.
Data Controller
In the context of medical data, anonymized data refers to data from which the patient cannot be
identified by the recipient of the information. The name, address, and full postcode must be
removed, together with any other information which, in conjunction with other data held by or
disclosed to the recipient, could identify the patient.

20. 20
Is it really anonymous?

21. 21
21
The “Findability”
• 42 year old
• Hospital X
• Date of case study
• Population
• Other details of the report
• Request of legal reports
• Public information on the internet (voters,
fines, official notifications)
• Social networks
• Social networks of the others

22. 22
Recommendations
• No magic formula.
• Use social networks with wisdom.
• Before mentioning others (relatives,
friends) get their approval.
• Avoid any mention to medical
topics, unless necessary.
• Enroll Robinson list.
• SWITCH OFF THE PHONE when
not necessary.
• Review systematically all sensitive
documents and delete/destroy
(banks, medical).
• Look for professional advice in
case of action or protection.

23. 23
Professional Advice?
23
• Identification of data in the dark web.
• Legal advice.
• Erasure of data.
• Identification of threats.
• Specific tools and service.
• 24x7 Cybersecurity Service. Round the
Clock, round the globe.

24. 24
Hvala!
24
Josema Cavanillas
VP - Head of Health & Life Sciences Sales for Eastern Europe
Member of the Atos Scientific Community
Member of the Atos Expert Community