GDPR compliance programme for a hospital group: from investigation to full compliance

The Challenge

A private hospital group operating twelve centres across three Spanish regions with more than three thousand employees suffered a data breach affecting the health data of approximately four thousand patients. The breach, caused by a ransomware attack, was notified to the AEPD within the legal deadline, but the Agency opened an investigation to assess whether prior security measures had been adequate and whether the breach response had been properly managed.

The potential sanction was significant: the GDPR allows fines of up to €20 million or 4% of global turnover for serious infringements involving special categories of data such as health records. Beyond the financial risk, the company faced considerable reputational exposure in a sector where patient trust is fundamental.

The initial assessment revealed that the group lacked a structured GDPR compliance programme: no DPO had been formally appointed, several high-risk processing categories lacked documented Data Protection Impact Assessments (DPIAs), and breach management protocols were insufficient.

Our Approach

We immediately activated a multidisciplinary team combining data protection lawyers, cybersecurity technical consultants, and a healthcare regulatory specialist. Within the first seventy-two hours we prepared the initial response to the AEPD: a detailed report of the security measures implemented before the breach, a chronological account of incident detection and containment, and the corrective measures already adopted.

The strategy before the AEPD was built on three arguments: notification had been timely and complete; the security measures were reasonable for an entity of this type, although improvable; and the group had proactively adopted additional measures following the breach demonstrating genuine commitment to data protection. We supported each argument with documented evidence.

Simultaneously, we designed and implemented the comprehensive compliance programme: appointment and training of the DPO, records of processing activities for all twelve centres, DPIAs for all identified high-risk processing activities (electronic health records, telemedicine, video surveillance systems), a breach management protocol, and a training programme for all staff tailored to each professional role.

Results

The AEPD closed the investigation by resolution of archiving without imposing any sanction, acknowledging the group’s active cooperation and the corrective measures adopted. This was the optimal outcome achievable given the starting circumstances.

Over the following six months, all twelve centres in the group achieved full compliance with the GDPR and the Spanish health data protection regulations (Law 41/2002 and applicable regional legislation). Three thousand employees completed the training programme specific to their role. The group now has a robust compliance infrastructure with annual reviews and scheduled breach response drills in place.