The GDPR, or General Data Protection Regulation, is a piece of European legislation which replaced the Data Protection Act (DPA) 1998 on 25 May 2018. The new Data Protection Act 2018 also came into force at the same time. The purpose of the new DPA is to apply the GDPR in the UK.
The underlying data protection principles have not changed significantly from those of the DPA – but there is the new principle of ‘accountability’. The GDPR also requires organisations to adopt the philosophy of ‘data protection by design and default’. This means that the organisation must be able to demonstrate compliance with the data protection principles. The principles are the backbone of the regulation.
The risk team have identified the following key tools from our resources to help you work through this area of risk and ensure compliance:
- Checklist: GDPR. This checklist helps practice managers, GPs and GDPs understand their duties and responsibilities under the General Data Protection Regulation (GDPR). It contains links to practical guidance sheets which are also listed below.
- Webinar: Watch our training webinar GDPR an overview.
- Guidance sheet: GDPR Breach Notifications. What constitutes a data breach under the GDPR and when do you have to notify the Information Commissioner's Office? When do individuals need to be notified? This guidance sheet offers practical advice on this key GDPR area.
- Guidance sheet: GDPR Subject Access Requests. Find out more about subject access requests and enhanced data subject rights with this handy guidance sheet.
- Guidance sheet: GDPR Lawful basis for processing. The GDPR requires a lawful basis for the processing of personal data. This guidance sheet explains the various bases for legal processing of sensitive and non-sensitive data with a particular emphasis on informed consent and offers practical advice.
- Guidance sheet: GDPR Data Protection Impact Assessments. PIAs are useful tools to help practices consider and address the privacy risks inherent in processing the data they hold. The GDPR requires a PIA to be carried out before implementation of a new system or process for processing data. This guidance sheet offers practical step-by-step advice.
- Guidance sheet: GDPR Privacy Notices. These are effectively compulsory under the GDPR. This guidance sheet explains why you need a privacy notice, what they are for and how they should be composed.
- Article: Protecting employee data. Much of the focus in primary care thus far has been on the changes applying to patient records, but data controllers must be aware that the new regulation also applies to the information held about employees. Employment adviser Liz Symon looks at what the GDPR means for the way employee data is processed.
- Article: Prepare yourself. Risk adviser Alan Frame offers practical advice on preparing your practice for the GDPR including what to put in a privacy notice, what data is affected and monitoring staff via CCTV.
- Online Course: Managing Data Security Breaches. This interactive online course is aimed at data controllers and processors in dental teams. It explores what constitutes a data security breach under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA 2018) and looks at what you should do if a breach is discovered. You will also learn how to avoid common pitfalls in the reporting and management of breaches.
- Online Course: An introduction to Privacy Notices. This interactive on line course offers an introduction to developing privacy notices in compliance with the GDPR legal requirements. It is aimed primarily at data controllers and those who have a responsibility for developing organisational policies in dental teams.
- Online Course: Managing Subject Access Requests. This interactive online course is aimed at data controllers and processors in dental teams. it details key requirements and responsibilities and sets out the legal framework associated with data subject access requests. It also highlights common pitfalls and good practice in this area.