Privacy and data protection

As a former Data Privacy Specialist/Data Protection Officer in the fertility industry – and since 2021, as an independent consultant in the healthcare business, I am used to implement and operate information security management/privacy systems (ISO 2700X/277XX/29100 etc.) – complying with relevant law (EU, UK, US etc.).

Working with many types of data subjects, large amounts of sensitive data, a multitude of vendors/processors and complex processing patterns (tissue/ cell donation, assisted reproduction, drug development/-surveillance, scientific research etc.), I have been responsible for all aspects of privacy/ information security.

Focusing on business processes, IT security and employee behavior – and aligning it with the needs and wishes of stakeholders, I know how to meet legal requirements, promote customer trust and confidence – and enhance the organization’s reputation.

I hold a number of certificates in data privacy law/management (CIPP/E, CIPM, IAPP Fellow of Information Privacy, GDPR Master Class etc.), as well as managing “GRC software” (OneTrust Privacy Technology Fellow) – and have worked closely with personal data specialists in law firms such as Bech-BruunAccura and Plesner. I am a member of various data privacy forums and knowledge-sharing platforms (e.g. IAPP, OneTrust DataGuidance, and the DPO Association of Denmark), and continuously take part in conferences, network meetings, lectures/ webinars and training activities.

Based on the above, LHR Consult offers the following services:

  • Advising on information security and national/global privacy law (EU, UK, US etc.) incl. sector-specific law (healthcare, pharmaceuticals, tissue/cells, assisted reproduction, record keeping, scientific research, labor law, bookkeeping, marketing etc.), guidelines, standards and frameworks (e.g. ISO, NIST and COBIT) etc.
  • Gap/maturity analysis and auditing against current local/national requirements and frameworks.
  • Risk assessing of all business areas (e.g. PIA/DPIA and ISO 29134).
  • Mapping of asset inventories, context and purpose, data types/sources/flows, ownership, recipients/transfers, storage/retention schedules, security measures, local/national requirements (e.g. EU, UK, UK) etc.
  • Data lifecycle management (discovery, classifikation, collection, validation, quality, analysis etc.) incl. data-driven insights across the organisation.
  • Identifying, implementing and analyzing physical, organizational, behavioral and technical security measures/controls/metrics/KPIs (Annex A controls/“Statement of Applicability” etc.), regarding trending, return on investment (ROI), business resiliency, program maturity etc.
  • Anchoring business ethical thinking when working with artificial intelligence, biometrics, genetic screening, portable biosensors, whistleblowing, drug testing/monitoring, transfers, secondary use of data, etc.
  • Implementing and operating information security and privacy management systems/frameworks (ISO 2700X/277XX/29100 etc.), incorporating common privacy principles and concepts (privacy by design/default etc.), establishing responsibilities, reporting structures and communication with internal/external stakeholders.
  • Aligning approaches with the organizational culture, needs of stakeholders (sponsor, CRO, clinic, laboratory, investigator, client/patient etc.) and the broader business objectives and goals – ensuring flexibility when incorporating legal, market and business requirements.
  • Implementing and operating ”Governance, Risk and Compliance (GRC)”-software tools (OneTrust, ComplyCloud etc.).
  • Acting as Chief Privacy Officer, Data Protection Officer (GDPR Art 37), EU Represen-tative (GDPR Art 27) etc.
  • Preparing privacy and information security policies, operating procedures, tem-plates, flow diagrams, annual compliance wheel etc. (subject’s rights, transfer/ sharing, processors, incidents/breaches, retention, business contingency/ continuity, acceptable use, direct marketing, HR, cookies, consent, privacy notices etc.).
  • Facilitating training and awareness activities for employees, partners and other stakeholders (privacy, information-/IT- and cyber security, ePrivacy, business ethics etc.).
  • Managing subject’s rights, inquiries, complaints and contact with supervisory authorities.
  • Third-party vendor/processor management – due diligence, contracts/SCCs, monitoring and auditing, assessment of assurance reports (e.g. ISAE 3000/3402 and SOC 2) etc.
  • Management of international data transfers (transfer tools, SCCs, European Essential Guarantees, TIA etc.).
  • Managing deviations, incidents and security breaches (identification, registration, root cause analysis, reporting, corrective/preventive measures, trending etc.).
  • Liaising and sparring with local/national supervisory authorities (registration, reporting, complaints, inspection, interpretation of legal requirements etc.).
  • Identifying and managing challenges and opportunities to continuously improve frameworks and programs (digitation, automation, cloud solutions, GRC tools etc.).

Assignments related to Tissues & cells and Quality management may well be combined with those mentioned above. For more information – see relevant sub-menus under “Services”.

This website uses cookies. By continuing browsing on the site you agree the use of cookies