The problem with GDPR, like most regulations, is that there is no definitive solution. It’s like saying to parents that they must, by law, give their children a healthy diet and will be fined if they fail to do so.
Each individual interpretation of what constitutes healthy is different and research leads us down many different alleyways and we struggle to know what is accurate and what constitutes commercial opportunity.
Nobody can give us a set of rules to follow that ensure success. We have to interpret the information and make our own decisions. I am no expert and I do not pretend to be one, but I am sharing my understanding and my thoughts on how we can deal with this important issue.
The GDPR will be implemented from 25 May 2018, replacing the UK’s Data Protection Act 1998 (DPA).
Now, although private medical practices should already be working in accordance with the DPA to manage patient records, the GDPR has some significant new requirements.
The GDPR applies to anyone who processes personal data relating to EU citizens. In the case of healthcare, this not only includes patient records, but any data related to employees and suppliers.
The consequences of not meeting the requirements, or failing to notify the authorities of a breach, could be harsh indeed. If a healthcare provider breaches the GDPR, they could face a fine of up to €20m or 4% of annual turnover.
Why is the GDPR being introduced?
The GDPR has two primary aims: to simplify regulation across the EU and to give individuals more control of their personal data.
It’s important to see the GDPR as more than a box-ticking exercise. It is really more of a cultural change to ensure that businesses are accountable and transparent with data.
In addition, healthcare has been shown to be particularly vulnerable to cyber crime in 2017 as evinced by the WannaCry NHS attack among others. Individuals are more concerned about the security and privacy of their data than ever.
The Information Commissioner’s Office (ICO) is the UK’s Data Protection Authority and its role is to ‘uphold information rights in the public interest’. In 2017, the ICO found that 80% of the public didn’t have trust or confidence in the companies storing their private data.
Adherence to the GDPR will help build patient trust, which is something all healthcare providers surely value.
Elizabeth Denham, the UK Information Commissioner in charge of the ICO, commented on the strong links between data privacy and data security.
She went on to underline the positive role of the GDPR: ‘Thinking that GDPR is about crippling financial punishment misses the point. GDPR is about enhanced rights for individuals.’
Who is responsible for implementing GDPR?
The new regulation applies to both ‘data controllers’ and ‘data processors’. The ICO defines the roles as follows: ‘A controller determines the purposes and means of processing personal data.
‘A processor is responsible for processing personal data on behalf of a controller.’
In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant or anyone who acts on the processor’s behalf.
What data is included in the GDPR?
Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations.
Medical photography is considered personal data, as are recorded phone calls and any social media interactions you may have with patients – although any communications made in this way will also be subject to additional guidance set out by the GMC.
You need to apply the same rules to personal data you may hold about employees and suppliers.
What are the main requirements of the GDPR?
Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:
➲Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.
➲Breach notifications – The ICO must be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the ‘rights and freedoms of individuals’.
➲Right to access – Data subjects – patients, in the case of private medical practices – have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose.
The controller is obliged to provide a free electronic copy of any personal data being held.
➲Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.
➲Data Protection Officers (DPO) – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the ‘regular and systematic monitoring of data subjects on a large scale’, or if the company is a public authority.
➲Penalties – Breaches of the GDPR can result in a fine of up to €20m or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations.
A company can also be fined up to 2% for less serious breaches.
See the EU GDPR portal for more information on all changes and requirements, including the full criteria for DPO appointments.
How will Brexit affect the GDPR?
The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside the EU will also need to comply with the regulation if they provide services to people residing in the EU.
In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU.
How do I assess my practice for compliance?
The ICO’s online self-assessments are an excellent tool for business managers or principal consultants who are unsure how compliant their practices are.
Read the ICO’s Preparing for the GDPR: 12 steps to take now. An 11-page illustrated PDF is a lot easier to assimilate than the full 300 pages of the GDPR itself.
There is no magic pill for meeting GDPR requirements, and it’s an ongoing process to ensure that your practice complies.
But there is a wealth of information available, and the ICO has shown a supportive and positive approach in order to help businesses protect personal data.