Getting prepared for GDPR
Have you heard of GDPR? Whilst it may sound like some new medical condition it’s a change in the law that covers the way organisations hold and use personal data, and it stands for General Data Protection Regulation. GDPR is an update to the current legislation that takes account of the massive impact of technology on data storage and use.
Often when faced with a change like this, human instinct is to ‘put it on the back burner’. But GDPR will affect practically every business and organisation in the UK. And don’t think Brexit will let us off the hook! The law comes into force on 25th May next year, well before we break from the EU. It will replace the current Data Protection Act, and the penalties for not complying will be high.
The chances are that if you are fully complying with the Data Protection Act, then most of your approach will remain valid under GDPR. However, you will need to consider some new elements and enhancements – and there are some specific requirements for the health and social care sector.
Some key elements of the new act include:
It must be absolutely clear what a person is specifically consenting to with affirmative action. That means no more blanket collection and use of data. For example, if you want to send someone an email, you must have received specific consent to do so – gone are the days of an automatic tick box on a sign-up form. The data held must be used for the purpose it was collected.
The right to be forgotten
Subscribers will have the right to be forgotten at all times. You need a process for this and will need to communicate the process to your database and demonstrate that you have drawn the process to people’s attention.
The appointment of a Data Protection Officer
If you employ more than 250 people, you will have to appoint a DPO. The role of the DPO is a data protection expert whose role is to help what is described as data ‘Controllers’ and ‘Processors’ comply with the law and avoid the risks that organisations face when processing personal data.
Data Protection Impact Assessments
Data protection impact assessments (DPIAs) will become mandatory for organisations with technologies and processes that present a high risk to the rights of the data subjects.
Mandatory Security Breach Reporting
This is a key and important change. Any breaches will need to be reported to a data protection regulator within 72 hours, and anyone affected by the breach must also be informed. The health and social care sector will have to put in place effective, practical procedures that can be immediately acted upon and this should be at the top of its checklist for GDPR compliance.
Demonstration of compliance
Another big change is in the requirement to be able to demonstrate compliance. As with other compliance-based laws, this will mean training and documentation.
What about the health and social care sector specifically?
Health-based data receives a special mention under the GDPR. Part of the description of personal data is that which allows a person to be identified by reference to an identifier such as ‘physical, physiological, genetic, mental, economic, cultural or social identity’.
There are also three additional important definitions that are relevant for our industry, the descriptions are in very legal terms but important to understand:
- “Data concerning health” is defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
- “Genetic data” is defined as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
- “Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
What is important to highlight here is that these three categories of data will be subject to a higher standard of protection than personal data in general. The processing of these three forms of health data is prohibited unless one of several conditions applies.
- The data subject must have given “explicit consent” to the processing.
- “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”
- “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.”
It’s clear that health and social care organisations will have to be more careful with the data and be very precise in knowing where it is being stored, how it is being processed and whether consent has been given.
Disclaimer – this article is for information only and does not represent legal advice. Organisations are advised to speak to their legal advisors to ensure full compliance with the law.