What else happened? Well, on the same day, the UK introduced the UK Data Protection Act 2018 (DPA) which replaced the previous Data Protection Act 1998, and you will be assured to know that the core of the EU GDPR remains within our new 2018 Act (together with other UK specific provisions).
But have you done everything to ensure that you are compliant with the new data protection regulations? Here at Designated Medical, we aim to support you in all areas of your administration, so we’re delighted to introduce a new series of guest blogs from Karen Heaton, founder of Data Protection 4 Business, to guide you through the recent changes and what these mean in pragmatic terms, for your organisation or private medical practice.
GDPR and data protection for healthcare – Karen Heaton, Data Protection 4 Business
Sitting comfortably? Good. Then let’s begin.
- Increased penalties
2 – 4% of global annual turnover, cessation of processing or, in severe cases, instigation of criminal proceedings. But you knew that already, right? We will take a look at the key risks which may give rise to high penalties.
Additional conditions for obtaining and maintaining consent are now law. We all received sackfuls of emails from companies requesting our permission to remain on their marketing distribution list in the first half of 2018. But was this necessary? Well, that depends on your organisation and what data processing you undertake. We will look at examples of where consent is obviously required and where possibly not.
- Data Breach notifications
In certain instances, the relevant authority must be informed (in the UK, this is the Information Commissioners Office (ICO)). And within 72 hours of becoming aware. But what exactly constitutes a data breach that must be reported? Whose responsibility is it to report it? We will look at examples of breaches and discuss how to assess them.
- Right to access (SAR)
Data subject can request a free copy of personal data relating to them that your practice or organisation holds. For private medical practices, how does this compare with the Access to Medical Records Act 1988? For other organisations, what can or can’t I disclose? We will look at examples for both of these.
There is now a requirement to be able to demonstrate how your organisation or practice is compliant with GDPR and the DPA. This sounds simple, but what does it really mean? If ever audited or investigated, what would you show them? We will look at essential examples of what you should have in place to meet this requirement.
- Data Protection Officers (DPO)
Are you legally required to have a DPO? Probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority. But you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and DPA. We will look at the various activities and tasks your nominated person needs to take care of.
- No-deal Brexit?
We are tracking the implications of No Deal on the Brexit negotiations and will round off 2018 with our best guidance on how you may need to prepare for this, still unlikely, scenario.
Today’s fact: The ICO reported that there was a 31% increase in the number of Cyber security incidents reported in Jan – Mar 2018 compared to previous year. => Make sure your internet security is up to date!
See you next week!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited
Further blogs in the series:
Data Protection Operational Risks and Penalties