This week’s announcement that the government will sign the European privacy rules set out in the General Data Protection Regulation (GDPR) into British Law and update the existing Data Protection Act made headline news – and rightly so given it impacts on pretty much every organisation in the UK – including GP practices.
The announcement hopefully removes any lingering (and misplaced) uncertainty about whether the EU’s GDPR will be become active in this country because of Brexit, and will hopefully press practice managers into action ahead of the 25th May 2018 deadline. It’s arguably the most important legislation change of recent times and, although nothing new, the task of keeping data safe is now more vital than ever before.
So what can practices do to prepare for that May deadline?
Much has been written about GDPR – much of it incorrect and much of it by companies invested in making it seem much more complicated than it really is – so that they can be brought in as ‘experts’. The reality however is that it’s nothing to be feared. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
There are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. A good starting point is the Information Commissioner’s Office (ICO), which has helpfully published a 12-step guide to get you started.
Learn what’s covered
According to the GDPR website, the regulations apply to personal data. This includes: names, photos, email addresses, bank details, posts on social networking websites, medical information and computer IP addresses.
It’s therefore vitally important to ensure that you collect and store confidential data and client contact data in accordance with GDPR. This doesn’t mean that you should discard any data that has not been gathered with a GDPR compliant process, but you must contact those individuals again to request the appropriate consent. If you work with children, you will need to gain parental or guardian consent in order to process their data lawfully.
The basic principles
According to the Information Commissioner’s Office (ICO) GDPR centres around ‘controllers’ and ‘processors’. Effectively, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
The GDPR places specific legal obligations on processors. For example, they are required to maintain records of personal data and processing activities and will have significantly more legal liability if they are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
Unsurprisingly, the NHS and many trusts have been slow to advise how GDPR will affect centralised databases and the users of them. So, be proactive if you haven’t had any advice and ask for the info – finding out what you need to do early will be extremely helpful!
Get everybody on board
GDPR and data protection requires buy-in from everyone – it only takes one weak link to provide a hacker with everything they need. It’s likely that meeting GDPR needs will also involve changes to processes, so getting people onside will aid with change management. Understanding the tasks involved will also be vitally important.
Appoint a DPO
You will need to appoint a dedicated Data Protection Officer (DPO) who will be responsible for GDPR compliance. And, in line with the point above, ensure everybody is clear that they have the right to check everybody’s processes and procedures, including those of GPs.
Once you’re ready to make a start in ensuring your practice is GDPR compliant the first stage is all about understanding your data. What data do you hold? How do you collect it? Where and how is that data stored? Who has access to it? How is the data currently used? Try to be as clear and as detailed as possible.
The ICO recommends that once you understand what your current data set-up is like, you compare it against the GDPR requirements. This will help you identify any gaps in your processes.
Rights and requests
One of the key elements of the new law is all about individuals’ rights – including the right to be forgotten. So, check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. You should also update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Plan for the worst
Such is the volume of cyber crime today, and with NHS organisations a prime target for attack, it’s highly likely that GP practices will be the next victims. So plan for the worst! GDPR states that you must inform the relevant authorities (ICO and NHS) of a data breach, informing them of:
- The types of data were leaked?
- How many registered parties does the leak involve?
- What are the consequences to those registered parties?
- What has been done to ensure that this does not happen again?
- The methods of informing the data leakage – public announcement, personal letter or emails.
Make it an ongoing task
Data privacy and compliance with GDPR isn’t a short-term obligation. Yes, a data audit is important right now, but that’s just a snap-shot. Ongoing monitoring and compliance is essential, and this is where the DPO really comes into their own – they’re vital in ensuring processes don’t get ignored and people don’t slip back into old habits.
Overall, GDPR will be an admin burden for practices, but in so many ways it’s all about processes and procedures and isn’t as daunting as it perhaps seems at first glance. Much of it is common sense – and that’s something practice managers have plenty of!
Have you already gone through the GDPR planning stage? If so, what tips can you share? Comment below or in the Practice Index forum here.