GDPR

This regulation brings a number of new data protection requirements for practices.

The GDPR, or General Data Protection Regulation, is a new piece of European legislation which replaced the Data Protection Act (DPA) 1998 on 25 May 2018. The new Data Protection Act 2018 also came into force at the same time. The purpose of the new DPA is to apply the GDPR in the UK.

The underlying data protection principles have not changed significantly from those of the DPA – but there is the new principle of ‘accountability’. The GDPR also requires organisations to adopt the philosophy of ‘data protection by design and default’. This means that the organisation must be able to demonstrate compliance with the data protection principles. The principles are the backbone of the regulation.

The risk team have identified the following key tools from our resources to help you work through this area of risk and ensure compliance:

  • Quiz: GDPR - Are you ready? Take our quick quiz and test your knowledge on the GDPR.
  • Checklist: GDPR. This checklist helps practice managers, GPs and GDPs understand their duties and responsibilities under the General Data Protection Regulation (GDPR). It contains links to practical guidance sheets which are also listed below.
  • Guidance sheet: Breaches. What constitutes a data breach under the GDPR and when do you have to notify the Information Commissioner's Office? When do individuals need to be notified? This guidance sheet offers practical advice on this key GDPR area.
  • Guidance sheet: Data subject rights. Find out more about subject access requests and enhanced data subject rights with this handy guidance sheet.
  • Guidance sheet: Lawful processing including consent. The GDPR requires a lawful basis for the processing of personal data. This guidance sheet explains the various bases for legal processing of sensitive and non-sensitive data with a particular emphasis on informed consent and offers practical advice.
  • Guidance sheet: Privacy impact assessments. PIAs are useful tools to help practices consider and address the privacy risks inherent in processing the data they hold. The GDPR requires a PIA to be carried out before implementation of a new system or process for processing data. This guidance sheet offers practical step-by-step advice.
  • Guidance sheet: Privacy notices. These are effectively compulsory under the GDPR. This guidance sheet explains why you need a privacy notice, what they are for and how they should be composed.
  • Article: Protecting employee data. Much of the focus in primary care thus far has been on the changes applying to patient records, but practice managers must remember that the new regulation also applies to the information you hold about your employees. Risk adviser Lindsey Falconer looks at what the GDPR will mean for you and the way you handle your employee data.
  • Article: Prepare yourself. Risk adviser Alan Frame offers practical advice on preparing your practice for the GDPR including what to put in a privacy notice, what data is affected and monitoring staff via CCTV.
  • Article: Prepare now for changes in data protection. This risk alert provides an overview of the Information Commissioner's Office's 12-step guidance setting out how organisations can prepare for the GDPR.

Dental risk toolbox

MDDUS risk toolboxes are designed to help dentists and practice managers review key risk areas within their practice