DATA protection laws have not changed for 18 years but European authorities have been working on reform for the last four years and the result is a new General Data Protection Regulation (GDPR) which will become law by 2018 – and that’s not too far off.
The Information Commissioner's Office (ICO) has released 12-step guidance urging organisations to prepare for the new GDPR.
It is important for organisations to begin to determine the risks that must be managed, get an understanding of the data they have, establish exactly what needs to be protected and take the necessary measures to secure it before the GDPR comes into force. The big motivator is that fines will be four per cent of gross profit which will be capped at 20 million Euros or approximately £15.8 million.
The ICO proposes the following actions:
- Launch a staff training and awareness programme. Staff must be made aware of the changes and the potential impact that a data breach may have under the new regulation. Breach reporting will be required within 72 hours.
- Audit the information you hold. Organisations should have a clear idea of the personal information they hold, where it originated and with whom it can be shared. An information audit is a key part of a data protection compliance regime.
- Communicating privacy information. Organisations should review their terms and conditions and develop a plan that makes it clear how they gather and share personal information.
- Consider individuals’ rights. It is essential to ensure that procedures take into consideration the rights of individual data subjects. These include: • Subject access • Having any inaccuracies corrected • Preventing direct marketing • Data portability • Preventing automated decision-making and profiling.
- Update subject access requests procedures. The ICO advises that organisations update their procedures to be able to handle data requests according to new timescales and to provide additional information as required. The £10 fee will be abolished and the 40 days to supply the information will be reduced to one month. So ensure that your existing processes are capable of being brought into line.
- Establish the legal basis for processing data. Organisations should analyse the reasons for processing any personal data, and confirm and document that there are solid legal grounds for doing so. You will also be required to explain this in your terms and conditions.
- Review consent mechanisms. Organisations should review and update the ways they seek, obtain and record consent for processing personal data. This consent has to be verifiable.
- Update procedures for processing data about children. Organisations should start implementing systems to verify individuals’ ages and to seek parental or guardian consent for any child data processing. Again this consent has to be verifiable and written in a language that children will understand.
- Implement data breach procedures. Organisations should implement procedures that will enable them to detect, report and investigate a data breach according to the requirements of the Regulation. There will be fines for failing to notify as well as the breach itself.
- Incorporate data protection by design and privacy impact assessments. Organisations should ensure they are implementing privacy impact assessments in line with the new requirements.
- Appoint a data protection officer. Organisations should appoint a data protection officer (DPO) where required, and public authorities will be required to designate a DPO.
- Determine the data protection authority for international organisations. For international operations, organisations should determine which data protection supervisory authority they are required to report to.
The above action points are probably part of the existing procedures within most healthcare organisations but subtle changes (e.g. the timeline for subject access requests) may require a review of existing processes. MDDUS will be looking at the impact and reviewing our own webinars and training sessions to ensure that we are all prepared for these changes.
If you require any advice in relation to the changes please contact Alex Lyons at MDDUS.
▪ Alex Lyons is the Senior Information Governance Adviser at MDDUS