Cutting our ties to Europe and its red tape

Cutting our ties to Europe and its red tape

All of our attention is focussed on Covid-19, while quietly in the background we are still in the process of leaving the EU and cutting our ties to Europe its data protection jurisdiction.

In this second article published in the Independent Practitioner Today this month, Jane Braithwaite and Karen Heaton share what this means for your practice.

Cutting our ties to Europe

SIGNIFICANT CHANGES to the business environment are often outside the control of medical practice owners, and always involve some work for busy medical practice staff.

In our concluding article of the series, we are looking at what med- ical practices need to be thinking about as the UK exits the transition period in December 2020.

For changes involving the processing of personal data, those medical practices who have invested in bringing their operations in line with the EU’s General Data Protection (GDPR) regulations and have embedded a data privacy and security culture within their organisations will be in a position to respond faster and more efficiently to changes out- side their control, such as Brexit.

The UK left the EU on 31 January 2020 and is now operating under the terms of the Withdrawal Agreement between the UK and the EU. This agreement runs until 31 December 2020.

Unless there is an extension to the Withdrawal Agreement, the UK will either leave with or with out a future deal between the UK and the EU.

Will there be a deal?

As everyone knows, the negotiations on what the future relation- ship between the UK and the EU will look like were put underway before the pandemic. It may be some time before businesses understand what that relationship will be and what it might mean for data protection. Read more...


Download full article


Navigating the GDPR labyrinth

Navigating the GDPR labyrinth

In the April issue of the Independent Practitioner Today Jane Braithwaite and Karen Heaton discuss GDPR and reveal medical practices did not properly understand whether they were required to ask patients for their consent for certain processing activities or how to do so.

Consent and GDPR

In the medical sense, ‘consent’ is very clear. But in the latest EU General Data Protections Regul­ations (GDPR), the question of consent has been one of the most confusing and frustrating issues to come to terms with.

How many emails did you receive in the run­ up to the GDPR deadline about ‘opt­ ins’ for mar­keting or just ‘opt­ ins’ in general?

Our experience is that medical practices and businesses in general really did not properly understand whether or not they were required to ask patients or clients for their consent for certain processing activities or how to do so.

On a personal level, it was a very useful opportunity to clear out unwanted junk email and compel organisations to take unsubscribe requests seriously. This had clearly not been the case in the past.

But were all these emails about consent necessary?

Well, that depends on a number of factors:

  • The lawful basis you have for processing an individual’s data;
  • How you received an individu­al’s data;
  • What you have told individuals – patients, clients or employees – about how your practice handles their personal data.

For medical practices who act as data controllers, there is the potential for non­trivial reputational damage and large fines from Information Commissioner’s Office (ICO) investigations regard­ ing poor consent practises.

So, to answer this question, let’s look at:

a) Your lawful basis for using that data;
b) The data you process and how it is processed.


Download full article
Top reasons for data breaches

Top reasons for data breaches

In the March publication of the Independent Practitioner Today, Jane writes about the data breaches; the reasons, and how to avoid them.

IN THE non-cyber category – that is to say, ‘human error’ – we have, as the main causes:

  • General breach of personal data – this will contain ‘blagging’ incidents and the accidental disclosure of personal data;
  • Data posted or faxed to incorrect recipient;
  • Data emailed to incorrect recipient;
  • Loss/theft of paperwork or data left in an insecure location. In the cyber category, we have the following main reasons for data breaches:
  • Phishing – emails with malicious links, malware;
  • Unauthorised access.In conclusion, it is errors by staff and employees that cause the majority of data breaches reported to the ICO.Poor data handling and data management are underlying causes for the data breaches reported to the ICO, whether these breaches are cyber or non-cyber.

Errors in the use of emails is a big factor behind data issues, where we see common problems such as:

  1. Emails sent to incorrect recipients.
  2. Emails with people pretend-ing to be someone else – ‘blagging’. Blagging occurs when someone poses as a trusted individual to obtain personal information from their victim or encourage the victim to perform actions, such as a bank transfer.
  3. Emails containing phishing and other scams and malware. Phishing is an attack used to steal data including login details and credit card details. The attacker will generally pose as a trusted entity and dupe the victim into responding to an email or text message.
  4. Emails with incorrect or wrong content and referencing of individuals. Read more…

Download the full article for full details.

No Deal Brexit – implications for Data Protection

No Deal Brexit – implications for Data Protection

In our blog today, we look at the implications for Data Protection in the event of a No Deal Brexit.  An increasingly likely scenario, given the inability of the politicians in both houses, to agree on a sensible approach.

A very informative article by FieldFisher explains that the EU Withdrawal Agreement seeks to ensure there is no disruption to data flows after Brexit.

Transition period

Currently, the EU Withdrawal Agreement proposes that during the Implementation / Transition phase, ie the period between March 2019 and until the Treaty governing the future relationship is agreed, existing EU laws will apply within the United Kingdom.

This means that businesses and practises still require to be compliant with the existing regulations – UK Data Protection Act 2018 & EU General Data Protection Regulation.  So, no change there.

Future relationship

The UK government and businesses on both sides of the channel, would like continued free flow of personal data after the Transition period ends.  To achieve this, once the UK is outside of the EU, it would take the form of an adequacy decision, similar to adequacy decisions given by the EU to countries for example, the United States, Canada, New Zealand and Argentina which ensure the free flow of data.

An adequacy ruling from the EU Commission effectively means that the Data Protection laws in a country are adequate to ensure the protection of individuals rights regarding personal data.

The Political Declaration

The political declaration on the future relationship between the UK and the EU, describes the ‘endeavour’ to adopt an adequacy decision by the end of the Transition period.

Given that the UK government adopted all of the GDPR provisions into the UK Data Protection Act 2018, my personal opinion is that it would be astounding and rather disingenuous if the EU did not grant the UK an adequacy decision.

But what happens if there is No Deal before March 2019?

The UK ceases to be a member of the EU in March 2019, instead becoming a Third country.  If the EU Withdrawal Agreement Bill does not go through UK Parliament, there will be no agreement for either the Transition period or a plan for a future trading agreement.

In becoming a Third Country from a Data Protection perspective, Third countries either require an adequacy decision OR must implement other safeguards for data transfers from EU to third countries and vice versa.

…. What are the other safeguards?

  1. A legally binding and enforceable instrument (eg contract, agreement) between public If you are a private organisation, this is not the solution.
  2. Binding Corporate rules – BCRs are an internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to non-EEA group entities. However, BCRs must be submitted for approval to an EEA Supervisory authority – which can be a lengthy and expensive process.  If you are a SME private organisation, this is not (or unlikely to be) the solution.
  3. Standard contract clauses (or model clauses) adopted by the EU commission – these can be used in contracts and have been approved by the EU, but have yet to be updated to reflect the EU GDPR. The clauses cover the transmission or processing of personal data from / to non-EEA countries, BUT only when used in their entirety and without amendment.

So the standard contract clauses need to exist in any contract where the transfer of personal data occurs outside the UK (currently outside the EEA).

This means….

If we exit the EU without a deal, your organisation or practise very quickly needs to:

  • Understand what data you have, how it flows and which countries the data is received from or flows to.
  • Be prepared to review and possibly update any contract with another organisation outside of the UK where data flows from and to.

If you have not yet done your homework or analysis on your organisation’s data, I strongly recommend this is a priority task for January 2019, especially if the EU Withdrawal Agreement Bill is not approved by UK Parliament in a few weeks.  You should have done this anyway, as part of Data Protection compliance.

Something to think about in January.

Today’s fact.   Did you know that data in transit only through a country is not liable to EU GDPR?  This means that the data must not be stored, processed, accessed or amended in any way, it just passes through.

=>   At least that’s one thing you don’t need to worry about!

That’s it from me for 2018.  I’ll be back in January 2019 with an update on the implications of Brexit for Data Protection.

Wishing you and your families a very happy festive season!

Karen Heaton Data Protection 4 Business


Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Data Protection for Business offers outsourced data protection officer services:

Previous blogs in the series:

Do I need a Data Protection Officer?

Do I need a Data Protection Officer?

In our blog today, from Karen Heaton at Data Protection 4 Business, we look at Data Protection Officers? But do you need one?

Well… probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority.
Ok, you don’t. BUT you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and the Data Protection Act. So, somebody needs to be responsible!

Responsible for what?

Even for small and medium sized organisations, someone will need to be skilled and available to undertake these tasks:

  • Responding to Subject Access Requests and managing Data Breaches
  • Reviews of security – physical and IT
  • Making sure your organisation is compliant or has a work plan to become compliant
  • Training staff in all areas and respond to any queries from clients, suppliers or staff – remember the lessons from Data Breaches in our earlier blog? Staff can be a high source of data breaches – unintentionally or not!
  • Working across all business functions, such as IT, Marketing, Finance and operations to understand the data in use and ensure operational procedures are in place
  • Policing the operations to ensure procedures are being followed AND are effective

What skills are needed? Can this be outsourced? Absolutely yes.

A good DPO should be able to wear many hats and have a wide range of skills.

  • Strong IT knowledge, detailed understanding of the regulations, know what ‘being compliant’ looks like and good project management skills to manage the changes needed within an organisation
  • Be active in the Data Protection space, follow trends, keep abreast of risks and continually scan for solutions e.g. software products to automate tasks
  • Save you time and money. For small and medium sized organisations, training up a member of staff or a small team can be costly and time consuming, so outsourcing can be a cost-effective solution
  • Support your organisation in Data Protection Impact Assessments to identify business risks
  • Be independent and objective. A key requirement of the role according to the regulations

Internal resource or an outsourced service?

This depends on a number of factors and it can be a long list! But it mainly boils down to a) what risks your organisations may be running and b) what skills your resources have.

? What are your data risks? Do you process Sensitive or Child data? Do you store financial details?
? How many customers, staff, suppliers do you have?
? Where are your data stored?
? Do you sell things via your website?
? Is your industry a target for cyber attacks?

There’s a lot to think about, that’s for sure.

Today’s fact. According to the GDPR and Data Protection Act, the DPO role can be outsourced to another organisation.

=> This may be a more efficient solution for your business. However, do check their credentials first!

Karen Heaton Data Protection 4 Business


Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Data Protection for Business offers outsourced data protection officer services:


Previous blogs in the series:


GDPR and Data Protection Accountability – How can you demonstrate your compliance?

GDPR and Data Protection Accountability – How can you demonstrate your compliance?

In our blog from Karen Heaton of Data Protection 4 Business today, we look at Accountability, one of the Seven Principles of GDPR and the Data Protection Act 2018.

What is it?

Accountability is your requirement to demonstrate how your organisation or practice is compliant with the regulations.

This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show the investigators?

Let’s take a look at the route to Data Protection compliance and some essential measures that organisations should have in place to meet this requirement.

route to GDPR compliance

What is the minimum you might need to meet the Accountability requirements?

1. Ensure your employees have some training in Data Protection – this is the responsibility of the Controller

  • We discussed the causes of Data Breaches:  30% – 40% are due to employees.

2. Do you know what data you hold? We discussed Know Your Data (KYD) in our blog on Data Breaches

  • why you have that data
  • what you do with it
  • who sees it
  • where it is kept

3. Understand Your role – this determines what your responsibilities are

  • are a Data Controller, Data Processor or both (highly likely)

4. Have essential operational policies and procedures (measures) in place to deal with:

  • Data breaches
  • Subject Access requests
  • Management of consent

5. Have you communicated your Privacy Notices to clients, employees, suppliers?

6. Do you need to Register with the Information Commissioners Office (probably)?

  • Use the checklist from the ICO
  • The fees are explained here– SME’s fees range from £40 – £60 per annum

7. Decide who will be responsible for Data Protection within your organisation – it must be someone!

Today’s fact: 

The ICO use a number of factors to decide what fines (or other actions) to take against organisations.  In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.

=> Put the essential operational measures in place now to avoid issues in the future.

See you next week!


Karen Heaton Data Protection 4 Business





Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series: