Ask the expert: Is my practice ready for GDPR?

What measures does my practice need to take ahead of the General Data Protection Regulation (GDPR) coming into effect?

THE way that practices manage their data will significantly change when the GDPR comes into force on May 25. It is a comprehensive overhaul of existing data protection law, which hasn’t been updated since the Data Protection Act (DPA) was introduced in 1998.

The Information Commissioner’s Office (ICO) has described it as “the biggest change to data protection law in a generation”.

Practices must make sure that everyone who processes personal data in the practice is aware that the law is changing and of its likely impact. The GDPR applies to all personal data being processed, meaning information that relates to an identifiable living person.

As well as patient information, it also relates to employees’ personal records including sickness absence, performance appraisals and any other information held about your staff.

So what is the GDPR going to mean for you and the way you handle your employee data?

As a starting point to compliance with the GDPR it would be useful to start thinking about the following:

• What categories of personal data do I process as an employer of staff?

• What do I do with that personal data?

• Why do I do this – what is the legal basis for processing it?

• Is it necessary for me to be processing all the personal data that I have and/or storing it (the more personal data you have the greater the risk of a breach)?

• Who am I sharing that personal data with? This information would form the basis for your “privacy notice”

For personal data to be processed lawfully, practices will need to consider the following in relation to employment law:

• Contract – the processing of the data is necessary for you to comply with your contractual obligations to the employee

• Legal obligation – the processing is necessary for you to comply with your legal obligations

• Legitimate interest – the processing is for a legitimate interest

• Consent – the ICO indicates that consent should only be used when no other lawful basis applies. Collecting and maintaining appropriate consent is difficult, because consent must be “freely given, specific, informed and clearly indicated by a statement of affirmative action”

There are changes being made to subject access requests (SARs). The new regulation will enhance employees’ rights to access their personal data and entitles them to more information on how their data is being processed.

The current time limit of 40 days to comply with a SAR will reduce to one month and the fee is being abolished, although it will be possible to request a reasonable administration fee where the SAR is “manifestly unfounded or excessive”.

Any breach that creates a risk to the “rights and freedom” of the individual will have to be reported to the ICO within 72 hours of it being discovered. Breaches that are deemed “high risk” should also be notified to the individual concerned “without undue delay”.

Information regarding employee’s health will be treated as “special category data”, as the GDPR deems this type of information as more sensitive and requiring additional protection. If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

Some action points that you need to consider are:

• What categories of personal data do I process as an employer of staff?

• What do I do with that personal data?

• Why do I do that – what is my legal basis for processing it?

• Is it necessary for me to be processing all the personal data that I have and/or storing it? (the more personal data you have the greater the risk of a breach)

• Who am I sharing that personal data with?

New contract clauses and wording for your handbook are available from the employment law team by contacting advice@mddus.com.

We are also hosting GDPR training days in our Glasgow and London offices. The sessions will look at what the new obligations mean for medical and dental practice managers, primarily focusing on patient data. The Glasgow course is sold out but there are still spaces available for the London event in May. Details can be found here.

Click here for our GDPR checklist and guidance sheets.