No Deal Brexit – implications for Data Protection

No Deal Brexit – implications for Data Protection

In our blog today, we look at the implications for Data Protection in the event of a No Deal Brexit.  An increasingly likely scenario, given the inability of the politicians in both houses, to agree on a sensible approach.

A very informative article by FieldFisher explains that the EU Withdrawal Agreement seeks to ensure there is no disruption to data flows after Brexit.

Transition period

Currently, the EU Withdrawal Agreement proposes that during the Implementation / Transition phase, ie the period between March 2019 and until the Treaty governing the future relationship is agreed, existing EU laws will apply within the United Kingdom.

This means that businesses and practises still require to be compliant with the existing regulations – UK Data Protection Act 2018 & EU General Data Protection Regulation.  So, no change there.

Future relationship

The UK government and businesses on both sides of the channel, would like continued free flow of personal data after the Transition period ends.  To achieve this, once the UK is outside of the EU, it would take the form of an adequacy decision, similar to adequacy decisions given by the EU to countries for example, the United States, Canada, New Zealand and Argentina which ensure the free flow of data.

An adequacy ruling from the EU Commission effectively means that the Data Protection laws in a country are adequate to ensure the protection of individuals rights regarding personal data.

The Political Declaration

The political declaration on the future relationship between the UK and the EU, describes the ‘endeavour’ to adopt an adequacy decision by the end of the Transition period.

Given that the UK government adopted all of the GDPR provisions into the UK Data Protection Act 2018, my personal opinion is that it would be astounding and rather disingenuous if the EU did not grant the UK an adequacy decision.

But what happens if there is No Deal before March 2019?

The UK ceases to be a member of the EU in March 2019, instead becoming a Third country.  If the EU Withdrawal Agreement Bill does not go through UK Parliament, there will be no agreement for either the Transition period or a plan for a future trading agreement.

In becoming a Third Country from a Data Protection perspective, Third countries either require an adequacy decision OR must implement other safeguards for data transfers from EU to third countries and vice versa.

…. What are the other safeguards?

  1. A legally binding and enforceable instrument (eg contract, agreement) between public If you are a private organisation, this is not the solution.
  2. Binding Corporate rules – BCRs are an internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to non-EEA group entities. However, BCRs must be submitted for approval to an EEA Supervisory authority – which can be a lengthy and expensive process.  If you are a SME private organisation, this is not (or unlikely to be) the solution.
  3. Standard contract clauses (or model clauses) adopted by the EU commission – these can be used in contracts and have been approved by the EU, but have yet to be updated to reflect the EU GDPR. The clauses cover the transmission or processing of personal data from / to non-EEA countries, BUT only when used in their entirety and without amendment.

So the standard contract clauses need to exist in any contract where the transfer of personal data occurs outside the UK (currently outside the EEA).

This means….

If we exit the EU without a deal, your organisation or practise very quickly needs to:

  • Understand what data you have, how it flows and which countries the data is received from or flows to.
  • Be prepared to review and possibly update any contract with another organisation outside of the UK where data flows from and to.

If you have not yet done your homework or analysis on your organisation’s data, I strongly recommend this is a priority task for January 2019, especially if the EU Withdrawal Agreement Bill is not approved by UK Parliament in a few weeks.  You should have done this anyway, as part of Data Protection compliance.

Something to think about in January.

Today’s fact.   Did you know that data in transit only through a country is not liable to EU GDPR?  This means that the data must not be stored, processed, accessed or amended in any way, it just passes through.

=>   At least that’s one thing you don’t need to worry about!

That’s it from me for 2018.  I’ll be back in January 2019 with an update on the implications of Brexit for Data Protection.

Wishing you and your families a very happy festive season!

Karen Heaton Data Protection 4 Business


Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Data Protection for Business offers outsourced data protection officer services:

Previous blogs in the series:

Do I need a Data Protection Officer?

Do I need a Data Protection Officer?

In our blog today, from Karen Heaton at Data Protection 4 Business, we look at Data Protection Officers? But do you need one?

Well… probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority.
Ok, you don’t. BUT you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and the Data Protection Act. So, somebody needs to be responsible!

Responsible for what?

Even for small and medium sized organisations, someone will need to be skilled and available to undertake these tasks:

  • Responding to Subject Access Requests and managing Data Breaches
  • Reviews of security – physical and IT
  • Making sure your organisation is compliant or has a work plan to become compliant
  • Training staff in all areas and respond to any queries from clients, suppliers or staff – remember the lessons from Data Breaches in our earlier blog? Staff can be a high source of data breaches – unintentionally or not!
  • Working across all business functions, such as IT, Marketing, Finance and operations to understand the data in use and ensure operational procedures are in place
  • Policing the operations to ensure procedures are being followed AND are effective

What skills are needed? Can this be outsourced? Absolutely yes.

A good DPO should be able to wear many hats and have a wide range of skills.

  • Strong IT knowledge, detailed understanding of the regulations, know what ‘being compliant’ looks like and good project management skills to manage the changes needed within an organisation
  • Be active in the Data Protection space, follow trends, keep abreast of risks and continually scan for solutions e.g. software products to automate tasks
  • Save you time and money. For small and medium sized organisations, training up a member of staff or a small team can be costly and time consuming, so outsourcing can be a cost-effective solution
  • Support your organisation in Data Protection Impact Assessments to identify business risks
  • Be independent and objective. A key requirement of the role according to the regulations

Internal resource or an outsourced service?

This depends on a number of factors and it can be a long list! But it mainly boils down to a) what risks your organisations may be running and b) what skills your resources have.

? What are your data risks? Do you process Sensitive or Child data? Do you store financial details?
? How many customers, staff, suppliers do you have?
? Where are your data stored?
? Do you sell things via your website?
? Is your industry a target for cyber attacks?

There’s a lot to think about, that’s for sure.

Today’s fact. According to the GDPR and Data Protection Act, the DPO role can be outsourced to another organisation.

=> This may be a more efficient solution for your business. However, do check their credentials first!

Karen Heaton Data Protection 4 Business


Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Data Protection for Business offers outsourced data protection officer services:


Previous blogs in the series:


Data Protection Operational Risks & Penalties

Data Protection Operational Risks & Penalties

In the second in our series of blogs from Karen Heaton of Data Protection 4 Business, she looks at the potential risks involved in GDPR and Data Protection Act (2018) non-compliance.

Operational Risks and Penalties

We all know about the potential for huge fines from the new EU General Data Protection Regulation (GDPR) and now the UK Data Protection Act 2018. These have been grabbing headlines for over a year in the lead up to Implementation-Day of 26th May 2018.

Most headline penalties are based on the highest maximum level of fines 4% of global annual turnover or Euro 20m, whichever is highest. But there is also a standard maximum level, which is 2% of global annual turnover or Euro 10m. Yes, both are hefty penalties – as they apply to turnover, not profits.

Higher level penalties can apply to any failure relating to: the data protection Principles; rights of the individual and data transfers to third countries.

Standard maximum level penalties can apply to infringement of administrative requirements of the regulations. So, breaches of controller or processor obligations, for example.

The size of the penalty will depend on a number of factors: the behaviour of the organisation; what steps have been taken to be compliant; how this can be demonstrated to the ICO and whether the organisational culture takes data protection seriously.

Information Commissioners Office

Data breach penalties

So, let’s look at some recent data breach penalties:

Heathrow Airport data breach loss of a USB stick in Oct 2017 – penalty of £120k was levied under the previous Data Protection Act 1998. The investigation by the ICO found:

  •  only 2% of the 6,500 strong workforce had been trained in Data Protection
  • there was widespread use of removable media (eg USB sticks, CDs) which contravened the company’s guidance
  •  ineffective controls were in place to prevent personal data from being downloaded onto unauthorised or unencrypted (removable) media

Bayswater Medical Centre – left sensitive data in an empty building in July 2015 – penalty of £35k levied under the previous Data Protection Act 1998. The investigation by the ICO found:

The data was left from July 2015 – February 2017 during which time access to the building was granted to other organisations. Emails to the medical centre about the unsecured data had not been actioned.

  • Examples of how poorly the data was secured in the empty building:
  • Patient identifiable data was lying on a desk and in a bin in one of the consultation rooms
  • Medical records stored in 2 unlocked cabinets with the keys left in the locks
  • Boxes of prescribed medication containing patient identifiable information left throughout the premises

The ICO found that the Centre had:

  • Failed to adhere to its own policies regarding security of medical records, patient confidentiality and confidential waste disposal
  • Failed to take adequate physical measures to secure the building
  • Failed to take any or any sufficient measures to secure the physical security of patient identifiable data in the building

Former hospital worker prosecuted for inappropriately accessing patient records in March 16 – January 17

  • She inappropriately accessed the records of 12 patients outside of her role as receptionist/general
  • She was prosecuted for unlawfully accessing personal data and unlawfully disclosing personal data under the Data Protection Act 1998 and additionally fined £230

What does this mean for your practice or organisation?

Well, a number of risk reduction steps should be taken: staff training in data protection; data handling guidelines; security procedures – physical and electronic; encryption of removable devices; restriction of data downloads; understanding your role – Controller/Processor; Data breach procedures; being able to demonstrate compliance with data protection regulations; building a culture of taking data protection seriously. There’s more. See our checklist!

Today’s fact. The ICO quarterly statistics on reported data security incidents found that in Q4 2017, four of the five leading causes (cases where the ICO took action) involved human errors and process (control) failures.

=> Employee training and data handling guidelines are ‘must haves’ for organisations processing Sensitive (ie Medical) Data.

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

E for easy learning: top healthcare podcasts

E for easy learning: top healthcare podcasts


Jane Braithwaite shows how to make the most of the world of podcasts at your disposal.

Our busy lives mean that we do not always have the time to sit down and enjoy listening to and watching the things we are interested in. Who among us is not guilty of recording and downloading TV programmes and never getting around to watching them? Perhaps this is the reason why, according to Radio Joint Audience Research (RAJAR), podcasts are now downloaded by more than 4.5m adults in the UK alone.

Podcasts can be neatly described as online radio broadcasts on demand, with the word ‘podcast’ itself being a combination of ‘iPod’ and ‘broadcast’.

Users can subscribe to online channels and have episodes of their favourite podcasts – available as both audio and video broadcasts – automatically down­loaded to their devices, much like a subscription to a journal or magazine.

Of course, for many people, listening to a podcast is not a necessity but a pleasure, and a quick look at iTunes shows the huge number of podcasts classed as comedy or games and hobbies.

Well-known organisations such as the BBC offer a large library of programmes. Whether you are after drama, sport, politics or factual programmes, all tastes are catered for and the online homes of radio stations such as talkRADIO also hold archives of their popular programmes.

However, for a busy private medical practitioner, podcasts can be an opportunity to catch up on developments in their area of expertise or in healthcare in general, and even clock up some valuable hours for continuing professional development (CPD) requirements.

Continuing professional development

The GMC considers CPD to be any learning outside of undergraduate or postgraduate courses that supports doctors in improving and maintaining their performance, which includes both formal and informal learning.

So as well as being a way to update yourself on industry developments, podcasts can also be a valuable tool when it comes to education and CPD.

Many of the royal colleges recognise the importance of e-learning and also recognise the benefits of podcasts.

Several of these institutions publish regular free content for their members.

Some sources are also freely available to non-members – the Royal College of General Pract­itioners, the Royal College of Emer­gency Medicine, and the Royal College of Psychiatrists, for example.

Their online libraries are extensive and of high quality. RCPsych, for instance, has an online library of over 100 peer-reviewed podcasts to support CPD on the go, providing a great source of information to help members improve their knowledge, hone new skills and keep up to date with new research.

Another example is the RCGP, which runs a programme that contributes to CPD: the Essential Knowledge Update programme.

Ideal for the busy GP, this programme’s podcast provides practitioners with a biannual update that focuses on the very latest updates in terms of regulations and information and provides GPs with support in terms of how to apply new knowledge in the clinical setting.

These podcasts usually feature the authors of the programmes modules, whose knowledge of the subject helps to provide a deeper level of expertise.

As well as being a great way to address the learning and development needs of a medical practitioner, these podcasts are a cost-effective source of learning.There are, of course, costs associated with society membership, so why not take advantage of all the sources these prestigious organisations have to offer?

Top talent

When the topic at hand is developments in healthcare and the podcast is being listened to with a view to being educated, it is imperative that the content is of high standard.

In addition to royal colleges, there are many high-profile organisations that produce podcasts; The Lancet, TED Talks, British Medical Association, the British Medical Journal and the New England Journal Medicine to name but a few.

These organisations can attract top talent and field experts, and can be an invaluable source of information for anyone in the healthcare industry, from medical students revising for exams to consultants looking to maintain their level of knowledge.

Utility, versatility, accessibility

So we have established that the information is available and the standard is high, but what other factors can be taken into account? Why are podcasts so popular and why are they particularly useful to medical professionals?

Research carried out in 2010 by Schreiber et al has suggested that although there does not seem to be a real difference in terms of information retention, face-to-face learning is preferred in relation to engaging with the expert/teacher. But podcasts have an undeniable benefit in terms of reinforcing learning and accessibility.

Other studies, such as Ruiz et al’s 2006 examination of e-learning in medical education, support this.Their findings indicate that satisfaction rates are higher for e-learning in comparison to traditional learning, with factors such as ease of access and use being a major factor.

In addition to this, research conducted by the investment intelligence firm Edison gives weight to the idea of ease of access being a key factor in utilising audio technologies. It suggests that a third of all podcasts are listened to while on the go when travelling or commuting, or when carrying out other activities.

So commuting is suddenly an opportunity to catch up on the latest developments in healthcare. Taking the dog for a walk can now double up as prime time to listen to that documentary on rare diseases that you missed last week.

Of course, for today’s busy private practitioner, this is where the true value of listening to educational podcasts lies. Whether it is a bite-sized update on data governance regulations or a lengthy debate on topical healthcare issues, taking in the information can easily be done at the same time as making dinner or a gym session.

And this is the beauty of the podcast: the fact that it can be accessed anytime and anywhere. And when this is considered alongside high-quality content, there really is no better way to maintain one’s knowledge in the context of a hectic and busy schedule.

How to get the best out of podcasts

    • Set achievable goals. What do you hope to achieve? If you are listening to educational podcasts with a view to building up CPD hours, make sure you document your learning in some way. You could try collecting evidence of your learning by producing written reflections, for example.
    • Stay motivated. Consider putting together a schedule; set aside a certain number of hours per week to help you achieve your goal.
    • Consider materials published by journals. Do you subscribe to any scientific magazines or journals? If so, check out their websites for any downloadable podcast content. In fact, these are often available free of charge to non-subscribers too
    • Choose your app. There are many apps available to download that help you manage your podcasts. Take a few minutes to browse through your device’s app store and see what is on offer
    • Seek out peer-reviewed content. If you are a member of a royal college, take advantage of their online libraries. The content, including podcasts, is usually peer-reviewed and free of charge to members
    • Download your programme ahead of schedule. Who needs technical difficulties when time is of the essence? Avoid the issues associated with unreliable internet connectivity by download­ing your favoured podcast ahead of time. You are then at liberty to listen without buffering, glitches or even a sudden change in your own schedule
    • Consolidate your learning. Take advantage of other materials and sources that help to consolidate your learning. Some sources offer other online materials that allow you to test your knowledge retention; an ideal way to self-assess. You could also discuss your findings with colleagues, either offline or in online discussion forums
    • Put your learning into practice. Think about how can you apply your new-found knowledge to your everyday work
    • Be proactive. Try to stay attentive, asking yourself questions as you listen. If you are listening to a live podcast, you might have the opportunity to engage directly with the host, but if you are listening offline, try making notes – even if it is a mental one
    • Enjoy! With so many podcasts out there to choose from, you really are spoilt for choice. If you find you are not engaged with a programme, seek out something new

Jane Braithwaite is Managing Director at Designated Medical and regularly contributes to the Independent Practitioner Today publication.

[plsc_button url=”” target=”_self” color=”black” style=”flat” radius=”square” size=”st”]Download full article[/plsc_button]

Medical marketing & social media – ethics & guidelines for doctors & private practices

Medical marketing & social media – ethics & guidelines for doctors & private practices

Running a private medical practice involves more than just clinical activities. It’s crucial for consultants and managers to stay up to date on any changes to relevant regulations, such as the new General Data Protection Regulations, coming into effect in May 2018. It is also vital that the activities of the practice are conducted in line with guidance from the authorities (such as the GMC and the BMA). Services need to be marketed appropriately, especially when growing a practice. This week, we’ll be taking a look at what needs to be considered when assessing and implementing your private practice’s medical marketing and social media strategy.

Social media

A cost-effective medical marketing method, a huge part of many people’s lives, and a main way of communicating for many businesses. However, for doctors there are issues that need to be kept in mind when communicating in a professional capacity with patients, clients and colleagues over social media. These platforms are easy to use and can generate great levels of interested in your practice, but there are guidelines that need to be followed in relation to their ethical use.

  • Confidentiality – GMC guidelines state that doctors must be honest in all communications with patients, clients and colleagues. When using social media doctors need to be aware that a patient’s network may be able to see any communications between the two parties – confidentiality, therefore, is key.
  • Stay professional – Act with integrity, be honest and be trustworthy. As well as being good rules to play by in business, doctors are professionally obliged to act in this way in line with good medical practice guidelines.
  • Know your sites – Designated Medical’s MD, Jane Braithwaite, has written previously about the need to understand social media. Facebook and Twitter are of course two of the most popular sites for businesses and are the best platforms to use to connect with potential patients and clients, with LinkedIn providing a channel for communications with colleagues primarily.

Doctors need to assess the possible risks when using social media, and have a good understanding of the fact that misusing this tool could impact adversely on patient-doctor relationships and your professional reputation.

Medical marketing & advertising

The use of social media may involve more than just communicating with patients. As mentioned above, it is also a great tool for marketing and for advertising your practice. However, there are GMC guidelines to keep in mind for this area, too:

  • Any adverts for your practice must be factual and should not take advantage of your patients’ lack of medical knowledge.
  • The marketing of certain services and specialities is subject to specific guidelines. For cosmetic surgery, for example, surgeons need to make sure that their marketing makes it clear that a medical assessment will be conducted before any treatments are carried out. Treatments and services cannot be offered as prizes, and surgeons must be upfront about the results of any cosmetic procedure. This is crucial in terms of managing patient expectations.


Designated Medical


Our team at Designated Medical know how important it is to work within these guidelines. As part of our thorough induction process are required to read and sign our in-house medical marketing and social media policy. We also have a talented digital marketing team, who specialise in social media strategy and management and search engine optimisation. You can read more about the services available here.

For more information about how we can help you grow your practice through online marketing contact us here or call 020 7952 1008.