New data law to boost trust

New data law to boost trust

Don’t get left behind on General Data Protection Regulation (GDPR). It’s happening on 25 May. Jane Braithwaite presents a very practical guide for any Independent Practitioner Today readers who have so far failed to react….

Mature businessman and young woman having a business meeting in the office, they are discussing togetherI hear you groan. Not another article on the EU’s General Data Protection Regulation (GDPR).It’s beginning to feel a lot like the millennium bug. Lots of noise, confusion and uncertainty. Are you tempted to just ignore and hope that it all goes away? Please don’t.I have attempted to write a very practical guide on GDPR, what it is and what we, as individuals responsible for medical practice management, can do to break through the panic and feel calm and perhaps even a little bit smug that we have it all in hand.

The problem with GDPR, like most regulations, is that there is no definitive solution. It’s like saying to parents that they must, by law, give their children a healthy diet and will be fined if they fail to do so.

Each individual interpretation of what constitutes healthy is different and research leads us down many different alleyways and we struggle to know what is accurate and what constitutes commercial opportunity.

Nobody can give us a set of rules to follow that ensure success. We have to interpret the information and make our own decisions. I am no expert and I do not pretend to be one, but I am sharing my understanding and my thoughts on how we can deal with this important issue.

Significant requirements

The GDPR will be implemented from 25 May 2018, replacing the UK’s Data Protection Act 1998 (DPA).

Now, although private medical practices should already be working in accordance with the DPA to manage patient records, the GDPR has some significant new requirements.

The GDPR applies to anyone who processes personal data relating to EU citizens. In the case of healthcare, this not only includes patient records, but any data related to employees and suppliers.

The consequences of not meeting the requirements, or failing to notify the authorities of a breach, could be harsh indeed. If a healthcare provider breaches the GDPR, they could face a fine of up to €20m or 4% of annual turnover.

Why is the GDPR being introduced?

The GDPR has two primary aims: to simplify regulation across the EU and to give individuals more control of their personal data.

It’s important to see the GDPR as more than a box-ticking exercise. It is really more of a cultural change to ensure that businesses are accountable and transparent with data.

In addition, healthcare has been shown to be particularly vulnerable to cyber crime in 2017 as evinced by the WannaCry NHS attack among others. Individuals are more concerned about the security and privacy of their data than ever.

The Information Commis­sioner’s Office (ICO) is the UK’s Data Protection Authority and its role is to ‘uphold information rights in the public interest’. In 2017, the ICO found that 80% of the public didn’t have trust or confidence in the companies storing their private data.

Adherence to the GDPR will help build patient trust, which is something all healthcare providers surely value.

Elizabeth Denham, the UK Information Commissioner in charge of the ICO, commented on the strong links between data privacy and data security.

She went on to underline the positive role of the GDPR: ‘Thinking that GDPR is about crippling financial punishment misses the point. GDPR is about enhanced rights for individuals.’

Who is responsible for implementing GDPR?

The new regulation applies to both ‘data controllers’ and ‘data processors’. The ICO defines the roles as follows: ‘A controller determines the purposes and means of processing personal data.

‘A processor is responsible for processing personal data on behalf of a controller.’

In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant or anyone who acts on the processor’s behalf.

What data is included in the GDPR?

Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations.

Medical photography is considered personal data, as are recorded phone calls and any social media interactions you may have with patients – although any communications made in this way will also be subject to additional guidance set out by the GMC.

You need to apply the same rules to personal data you may hold about employees and suppliers.

What are the main requirements of the GDPR?

Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:

Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.

Breach notifications – The ICO must be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the ‘rights and freedoms of individuals’.

Right to access – Data subjects – patients, in the case of private medical practices – have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose.
The controller is obliged to provide a free electronic copy of any personal data being held.

Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.

Data Protection Officers (DPO) – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the ‘regular and systematic monitoring of data subjects on a large scale’, or if the company is a public authority.

Penalties – Breaches of the GDPR can result in a fine of up to €20m or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations.

A company can also be fined up to 2% for less serious breaches.

See the EU GDPR portal for more information on all changes and requirements, including the full criteria for DPO appointments.

How will Brexit affect the GDPR?

The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside the EU will also need to comply with the regulation if they provide services to people residing in the EU.

In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU.

How do I assess my practice for compliance?

The ICO’s online self-assessments are an excellent tool for business managers or principal consultants who are unsure how compliant their practices are.

Top Tip

Read the ICO’s Preparing for the GDPR: 12 steps to take now. An 11-page illustrated PDF is a lot easier to assimilate than the full 300 pages of the GDPR itself.

There is no magic pill for meeting GDPR requirements, and it’s an ongoing process to ensure that your practice complies.

But there is a wealth of information available, and the ICO has shown a supportive and positive approach in order to help businesses protect personal data.

Jane Braithwaite is Managing Director at Designated Medical and regularly contributes to the Independent Practitioner Today publication.

[plsc_button url=”https://designatedmedical.com/wp-content/uploads/2018/12/IPT-May-2018.pdf” target=”_self” color=”black” style=”flat” radius=”square” size=”st”]Download full article[/plsc_button]

GDPR – is your practice ready for May 2018? 

GDPR – is your practice ready for May 2018? 

UPDATED OCTOBER/NOVEMBER 2018

We are currently publishing an up-to-date series of blogs related to GDPR, data protection and private medical practices, written by Karen Heaton of Data Protection 4 Business. Click here to start the series:  GDPR for Healthcare – Introduction

UPDATED: JUNE 2018 – This blog was originally published in November 2017 in order to help private medical practices prepare for the implementation of the new General Data Protection Regulation (GDPR).

Whilst the deadline for compliance with the GDPR officially passed on 25th May, it is not too late to ensure that you have implemented the correct procedures in order to protect your patients and employees’ data.

Please read the blog for more information and useful links.

ORIGINAL BLOG:

Next May sees the implementation of a new piece of EU regulation – the General Data Protection Regulation (GDPR).  

Any business, including private medical practices, should be working in accordance with the Data Protection Act 1998 where any personal data is used or collected. There are similarities between the GDPR and the DPA, but this new regulation has some additional requirements that will need to be addressed. So, what are these requirements and what does your practice need to do to ensure you’re ready for May 2018? 

New requirements for data controllers and processors 

This new data regulation is applicable to data controllers and data processors. In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant, or anyone who acts on the processor’s behalf.  

Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations. Medical photography will also be considered personal data, as will any social media interactions you may have with patients (although any communications made in this way will also be subject to additional guidance set out by the GMC).  

Key changes

Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are: 

  • Penalties Breaches of the GDPR can result in a fine of up to €20 million or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations. A company can also be fined up to 2% for less serious breaches. 
  • Consent Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.  
  • Breach notifications The relevant regulatory authority will need to be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the “rights and freedoms of individuals”. 
  • Right to access – Data subjects (patients, in the case of private medical practices) have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose. The controller is obliged to provide a free electronic copy of any personal data being held. 
  • Data portability This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company. 
  • Data protection officers The new regulation requires a DPO to be appointed only in situations where the company’s activities include the “regular and systematic monitoring of data subjects on a large scale”, or if the company is a public authority. 

More information on all changes and requirements, including the full criteria for DPO appointments, can be found HERE. 

What about Brexit – do I still need to prepare for the GDPR? 

The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside of the EU will also need to comply with the regulation if they provide services to people residing in the EU. In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU. 

How do I assess my practice for compliance? 

For business managers or principal consultants who are unsure how compliant their practices are, the ICO has a useful self-assessment toolkit. 

What happens if my practice does not comply? 

The GDPR came into effect last year, but will be enforced in May 2018. Non-compliance could result in a fine of up to 4%, so it is crucial to take a look at your data management policies and procedures to ensure that you comply with the regulations. 

Data protection at Designated Medical 

Designated Group, including Designated Medical, is committed to protecting client’s privacy and conducts all work in line with the Data Protection Act 1998. We work closely with clients to ensure that data protection laws are adhered to, and all data is stored securely and is encrypted when necessary.  

For more information on our services please call 020 7952 1008, or visit our website at designatedmedical.com