SO, WHAT is the GDPR and what do you need to know about it? The European-wide General Data Protection Regulation is a comprehensive overhaul of existing data protection law, which hasn’t been updated since the Data Protection Act (DPA) came into being in 1998. The Information Commissioner’s Office (ICO) has described it as the “biggest change to data protection law in a generation”. Now is the time to start preparing to ensure compliance.
First, make sure everyone who processes personal data in the practice is aware the law is changing and of its likely impact.
All personal data
The GDPR will apply to all ‘personal data’ being processed, meaning information that relates to an identifiable living person. This definition is broad, and as well as patient information it also relates to employees’ personnel records including sickness absence, performance appraisals, recruitment notes and any other information held about your staff. It will apply whether your practice is private, NHS or a combination of both. As a starting point, consider:
- What categories of personal data do I currently process?
- What do I do with that personal data?
- Why do I do it – what is my legal basis for processing it?
- Is it necessary for me to be processing or retaining all the personal data that I have (the more personal data you have the greater the risk of a breach)
- Who am I sharing that personal data with?
This information would form the basis for your ‘privacy notice’, a new requirement under GDPR, which should document what personal data you hold, where it came from and who you share it with. An important data protection principle is that any processing of personal data must be fair and transparent and data controllers will be obliged to inform their patients and employees about exactly what they do with the personal information they hold and process. The privacy notice should be concise, intelligible and easily accessible. If it becomes too unwieldy, you can consider splitting it into separate notices or presenting it on your website in the form of videos or blogs. The important thing is to be transparent and provide accessible information. Start reviewing your current data processing activities now and familiarise yourself with the requirements of privacy notices.
The processing principles under the new GDPR all existed under the DPA but some have been developed further. The ICO has said that if organisations have been complying with best practice under the DPA they “probably won’t have too much work to do”. But as data controller you will have to demonstrate compliance and are accountable by law. (See our checklist opposite for further details.) Legitimate reason To process personal data legally, you must show you have a legitimate basis for doing so. For example, you may need to process an employee’s personal data to comply with a legal obligation such as sending information to the HMRC, or providing a copy of a patient record under a subject access request. It is vital everyone is aware they must have a legitimate reason to access patient records, otherwise they may be committing a serious offence.
Another area to consider is the monitoring of your employees. Do you use CCTV in staff areas? Do you allow staff to make personal phone calls from the practice system or send personal emails from their business account? Can they access personal email accounts and online banking from their work computer? Why would you want to monitor these things? You could argue that you have a legitimate interest in protecting your business. And while you do have the right to protect your IT systems, you also need to respect the personal privacy of your staff. A balance must be struck between the need for legitimate monitoring and the right to privacy.
The new GDPR will give individuals more control over how their personal information is used. New rights include the right to erasure (also referred to as the right to be forgotten) and the right to withdraw consent from companies using and storing their personal information. This could apply, for example, to a practice marketing database but not to dental records or essential employee information.
Subject access requests is another area that will see significant changes. Currently, the DPA enables data subjects to see and have a copy of the information that is held about them, and you currently have 40 days to comply with such requests. Once the GDPR is in place you will have to comply ‘without undue delay’ and within a maximum of one month. The existing fee structures will be abolished altogether.
The GDPR will also require data controllers to inform the regulator and data subjects within 72 hours of any “significant breaches” being discovered. The definition of “significant” has not yet been confirmed. Be aware that the penalties for breaching the GDPR and the loss of personal data can be high – up to four per cent of your gross annual turnover or €20m (whichever is higher). This will increase from the current maximum of £500,000 depending on the size of your business.
In conclusion, GDPR is set to become the definitive authority on data protection, offering the same protection to personal information across the EU and beyond. Britain’s decision to leave the EU is not an escape clause as the UK Government says it will remain fully signed up to its provisions.
Alan Frame is a risk adviser at MDDUS
WHAT TO INCLUDE
- Who is collecting the information – i.e. identify the data controller?
- What personal information do you hold?
- How is the information collected by you?
- Why is it collected, its purposes?
- How will it be used by you?
- WHo will it be shared with?
- What will be the potential effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- What are you doing to ensure the security of personal data?
- Information about rights of access to their data
- Use clear, straightforward language and avoid jargon
- Adopt a style that will easily be understood
- Don’t assume that everybody has the same level of understanding as you
- Be truthful