How to Prepare Your Practice for the New Data Protection Regime
Last year it was announced that data protection law is changing. A new EU regulation known the General Data Protection Regulation (GDPR) will apply from 25 May 2018 replacing the Data Protection Act 1998 (DPA).
The GDPR will increase the obligations on those organisations which handle personal data. This is particularly significant for the healthcare sector which holds vast amounts of personal data.
What Will the GDPR Do?
The GDPR will introduce new concepts and approaches that will require you to implement new measures and to review existing practices. You will also need to revise existing contracts and policies.
What Happens if We Do not Comply?
The data protection regulator (the Information Commissioner's Office) can take enforcement action. Under the GDPR, this will include the power to serve fines up to the higher of £17m or 4% of worldwide annual turnover.
What Should We Do Now?
- Carry out an audit
Document what personal data you hold, where it came from, why you hold it, how it is stored and with whom it is shared. This will assist with the other measures mentioned below because it is difficult to determine precisely what steps to take to comply with the GDPR before you know what personal data you use. - Think information security
A high risk area of data protection compliance is keeping personal data secure. The majority of fines served by the regulator are for information security breaches. This area of compliance is especially important for healthcare professionals who will hold a large amount of sensitive personal data.
You should make sure that you have both technical (eg network security) and organisational measures (eg staff training and policies) in place to keep information secure. - Update your privacy notices
You are currently required to provide people with information about how their personal data is used. This information is usually provided in a document known as a privacy notice. The GDPR requires much more information to be included in privacy notices. For example, you must tell people your legal ground for using their personal data, what rights they have in their data and their right to complain to the regulator. - Review your contracts with processors
There must be a written contract in place with your processors. Processors are those organisations who process personal data on your behalf. For example, an external payroll or cloud storage provider.
The GDPR is far more prescriptive than the DPA on what must be included in these contracts. You must also carry out due diligence on how your processors will comply with the GDPR themselves. - Privacy impact assessments
Under the GDPR before using personal data in a way which presents high risks to individuals you must carry out a privacy impact assessment (PIA). A PIA must document, amongst other things, the data protection risks identified and the steps that you are taking to mitigate those risks. - Individuals' rights
The GDPR gives people more rights in their personal data and strengthens some existing rights.
New rights include the right to data portability and the right to erasure (ie to have personal data deleted). These rights only apply in certain circumstances and you should understand how to recognise and apply these rights.
The existing right of subject access is strengthened by requiring you to comply with requests for personal data in one month in most cases. The current time period is 40 calendar days. In addition, you must supply supplemental information such as your retention periods for their personal data and their right to complain to the regulator.
How Can We Help?
There are many issues to consider over the next few months before the GDPR applies. We can assist with audits, contracts, policies and staff training.