GDPR is arguably the most important data legislation change of recent times makes the task of keeping data safe more vital than ever before.
From May 2018 the new regulations come into place which will require some new elements to be considered and some significant enhancements to the original regulations, so you will have to do some things for the first time and some things differently
The GDPR regulations largely apply to personal data held by an organisation. This includes: names, photos, email addresses, bank details, posts on social networking websites, medical information and computer IP addresses.
It is therefore vitally important to ensure that you collect and store confidential data including patient and staff contact data in accordance with the GDPR. NHS Digital will be publishing a checklist to help practices implement the requirements of the new GDPR.
All practices must also maintain a business continuity plan, which should include details of how it will respond to data and cyber security incidents. Practices must also report data security incidents and near misses to CareCERT (An NHS digital system to deliver essential cyber security updates across the whole NHS). The GP IT services should help practices report and manage such incidents.
What can practices do to prepare for the May 2018 deadline?
- Make sure you monitor, save and know who you share data with and where that information is held and stored at your practice.
- Let your employees know why you require their personal data and that of the patients, the legal requirements, justifications and the application of consent. Ensure staff are fully trained in all aspects of the new legislation.
- The Information Commissioners Office (a public body which reports to government and upholds information rights in the public interest), recommends that anyone processing data at ‘large scale’ should have a Data Protection Officer, who is a person responsible for verifying that you are complying with data protection.
- Subject access requests (SAR) under the new rules differ from how you have been dealing with these under the current Data Protection Act, you will no longer need to charge patients coming to you with an SAR. Whereas you had 40 days to deal with these types of requests before, you now have a month to comply with the request.
- The GDPR has higher requirements for consent. You will need to devise clear opt-out options and good records of consent
Overall, the GDPR will be an administrative burden for practices, but in so many ways it’s all about processes and procedures and isn’t as daunting as it perhaps seems at first glance.