What is GDPR and what does it mean to be compliant?
I am sure that you will all by now be aware of GDPR. GDPR comes into effect on 25th May 2018 and seeks to give individuals more control over how organisations use their data.
GDPR is a European regulation, and automatically becomes law in the UK because of our membership of the European Union. Although Brexit would take us out of the European Union, the current plan is to incorporate all EU law into UK law, so GDPR is almost certainly here to stay.
Confusingly, the UK Parliament is drafting its own data protection law called the Data Protection Act 2018 (DPA 2018). This law will supplement the GDPR and replace the existing 1998 Data Protection Act. The DPA 2018 is still working its way through Parliament so is not finalised. Much of the commentary on ‘GDPR’ combines it with the DPA 2018, and so mixes actual law with a draft bill.
Who does it apply to?
GDPR applies to all individuals and businesses who have responsibility for handling personal data. GP practices are ‘data controllers’ registered with the Information Commissioner (ICO) and are responsible for deciding how and why data is processed.
In our experience, practices have long been familiar with the concepts of data confidentiality, but GDPR requires additional levels of process and control, and forces practices to think about all personal data, not just the confidential health data they hold.
The key to understanding compliance with GDPR is not to see it as a tick-box exercise to be completed by 25th May, but rather as developing and embedding a permanent change of culture, whereby protection of personal data is central to every decision made within the practice. When all staff are able to recognise personal data and make informed decisions about protecting and processing it, and know what to do in the event of a breach, you will be well on the way to compliance.
What can GP practices do to prepare for GDPR?
- If you haven’t found it already there is a very helpful 12 Steps to Take Now and Data Controller Self Assessment Toolkit on the ICO Website. Given that the ICO is the data regulator, they are the best place to start with your preparation.
- It is critical that practices can demonstrate that they have sought to comply. The ICO has been clear that they are looking to see reasonable efforts being made. To do this you will need to have identified, documented and explained the legal basis for all the data flows to and from the practice. This is likely to be a time consuming undertaking and will be difficult to do unless you have a member of staff who is familiar with documenting processes and data flows. Remember that this documentation will have to be kept up-to date, so be careful not to outsource all your understanding of this information audit.
- Data Protection policies and procedures must also be updated. Many practices have historically relied on ‘template’ policies, but these are unlikely to be adequate, as procedures will have to relate to the data flows identified in the information audit.
- Privacy Notices are another important part of GDPR. These must be displayed prominently, which as a minimum is likely to be on the practice website and the noticeboard. Practices should think hard about opportunities to draw patient attention to these Privacy Notices, since one of the key principles underlying GDPR is transparency about how you deal with data. New information which must be added to privacy notices includes how you intend to use data, and the ‘lawful basis’ for what you are doing.
- Be aware that much health data falls under one of the GDPR special categories. In addition to the ‘lawful basis’ that all data controllers must identify, practices need to satisfy a second separate condition that the processing is necessary for the purposes of healthcare.
- Staff training is also an important part of compliance. Practices will need to be able to demonstrate that they have trained all their staff, including Partners, in GDPR and have an ongoing program to ensure that they are kept up to date as the law changes.
- One significant change is that practices can no longer charge patients for access to their medical records except in exceptional circumstances. This may unfortunately increase the administrative workload as patients and others get used to making ‘subject access requests’. The time limit for dealing with these has been reduced from 40 days to one month.
- An interesting example of the current uncertainty is the role of the Data Protection Officer (DPO). Under GDPR, it is not at all clear that practices are required to appoint a DPO. However, the DPA 2018 if enacted in its current draft form would certainly require practices to appoint a DPO.
So what happens if there is a breach and what are the risks of non-compliance?
In the event of a data breach affecting patient’s privacy rights, you must notify the Information Commissioner’s Office (ICO) no later than 72 hours after you become aware of the breach. If the breach is likely to present a high risk to their data, the patient must also be informed. You should have a clearly documented process for managing a data breach. This is another example of how proper documenting of processes and staff training is going to be vital.
It is important that practices take ownership of GDPR themselves. Compliance is not really something that can be outsourced, although there are plenty of commentators looking to profit from it. The ICO have made clear that the world will not end on the 25 May 2018 as they realise this is a journey for all businesses and they want to be supportive rather than punitive, but they will want to see evidence that practices are taking data security seriously throughout the organisation.
If you are concerned about your GDPR readiness, then please give us a call and we would be happy to talk through your plans. In our experience, most local medical committees are also aware of what needs to be done and are able to assist members and share good practices on GDPR.
If you would like to discuss GDPR or any other legal matter, please contact Nils Christiansen on 01483 511555, email@example.com