From May 2018, the current Data Protection Act (DPA) 1998 will leave space to its younger sister, the General Data Protection Regulation (GDPR).
Fines are among the things that are changing. Under the current DPA, entities in breach of data can pay up to £500,000; however, after the GDPR comes into place, fines could reach up to €20m or 4% of a company previous year’s financial incomings.
It is then wise to check a few things to make sure you are complying with the GDPR.
The Information Commissioner’s Office (ICO), the UK independent body dealing with data protection, has created a list of steps to follow to make sure you comply with the new regulation.
Here’s our pick of the steps most relevant for practice managers.
1. Make sure you hold information about the data you are storing at your practice.
ICO suggests you monitor who sent you that data, where you have saved it and who you shared it with. For instance, if you have to handle a request from a third party that has asked you to share personal data about someone. If, unfortunately, you find inaccuracies the moment after the data has been shared then knowing where your data is stored will make it easier for you to source it back and notify the other party about the mistake.
2. Let your employees know why you are asking for personal data.
The GDPR states that there are various legal justifications for data to get processes, and one of these is that the data subject gave his or her prior consent to the processing of his or her personal data. Remember, your employees have a right to complain if they believe you are mishandling their data!
3. Do you need a Data Protection Officer (DPO)?
ICO recommends that anyone processing data at ‘large scale’ should get a DPO, who is a person responsible for verifying that you are complying with data protection.
4. Subject access requests (SAR).
Differently from how you have been dealing with these under the DPA, you will no longer need to charge patients coming to you with a SAR. Whereas you had 40 days to deal with these types of requests before, you now have a month to comply with the request. If you decide not to process this demand, remember to give the other party reasons for this.
The GDPR has higher requirements for consent. Although its definition remains the same as the one in the DPA, you need to devise clear opt-out options and good records of consent.