GDPR – is your practice ready for May 2018?

Next May sees the implementation of a new piece of EU regulation – the General Data Protection Regulation (GDPR).  

Any business, including private medical practices, should be working in accordance with the Data Protection Act 1998 where any personal data is used or collected. There are similarities between the GDPR and the DPA, but this new regulation has some additional requirements that will need to be addressed. So, what are these requirements and what does your practice need to do to ensure you’re ready for May 2018? 

New requirements for data controllers and processors 

This new data regulation is applicable to data controllers and data processors. In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant, or anyone who acts on the processor’s behalf.  

Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations. Medical photography will also be considered personal data, as will any social media interactions you may have with patients (although any communications made in this way will also be subject to additional guidance set out by the GMC).  

Key changes

Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are: 

• Penalties – Breaches of the GDPR can result in a fine of up to €20 million or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations. A company can also be fined up to 2% for less serious breaches. 
• Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.  
• Breach notifications – The relevant regulatory authority will need to be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the “rights and freedoms of individuals”. 
• Right to access – Data subjects (patients, in the case of private medical practices) have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose. The controller is obliged to provide a free electronic copy of any personal data being held. 
• Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company. 
• Data protection officers – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the “regular and systematic monitoring of data subjects on a large scale”, or if the company is a public authority. 

More information on all changes and requirements, including the full criteria for DPO appointments, can be found HERE. 

What about Brexit – do I still need to prepare for the GDPR? 

The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside of the EU will also need to comply with the regulation if they provide services to people residing in the EU. In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU. 

How do I assess my practice for compliance? 

For business managers or principal consultants who are unsure how compliant their practices are, the ICO has a useful self-assessment toolkit. 

What happens if my practice does not comply? 

The GDPR came into effect last year, but will be enforced in May 2018. Non-compliance could result in a fine of up to 4%, so it is crucial to take a look at your data management policies and procedures to ensure that you comply with the regulations. 

Data protection at Designated Medical 

Designated Group, including Designated Medical, is committed to protecting client’s privacy and conducts all work in line with the Data Protection Act 1998. We work closely with clients to ensure that data protection laws are adhered to, and all data is stored securely and is encrypted when necessary.  

For more information on our services please call 020 7952 1008, or visit our website at designatedmedical.com.