GDPR and data processing

GDPR and data processing

In the third in our GDPR for healthcare blog series, Karen Heaton of Data Protection for Business discusses how to ensure that you are processing data lawfully and the necessity to track the data subjects’ consent.

How many emails did you receive in the run up to 25th May this year about ‘opt-ins’ to receive marketing? I, for one, enjoyed a clear out of my junk mail. Now, only products and services I am actually interested in arrive in my Inbox. Not only that, but now organisations have to take my unsubscribe request seriously. This was clearly not the case in the past.

But were all these emails necessary? Well, that depends on the lawful basis you have for processing an individual’s data and also how you received an individual’s data.

So, to answer this question, you need first to understand a) your data and b) your lawful basis for using that data.

Understanding your data

This is the crux of data protection compliance. Without properly mapping out your data, you will struggle to be compliant with all aspects of data protection. Why? Because if you cannot answer the basic questions of….

  • What type of data you have – personal data, or Special Category data – Sensitive / Child
  • Where did you source the data
  • Who has access to that data
  • Which processing activities do you undertake on that data – sending marketing messages, sharing with third parties, analysing data for demographics or other profiling types of activities
  • Lawful basis for processing
  • Which country is it stored in

….then you may be asking for consent unnecessarily, or not asking for consent when you should be. As well as a raft of other non-compliant activities, by the way (and it’s a long list!).

In short, you are risking a breach of the core Principles of data protection which, as we learned in last week’s blog, attract: higher level fines; risk of prosecution; audits by the ICO and restriction of business activities. For medical practices, in particular, and client facing businesses in general, there is the potential for non-trivial reputational damage from any of these actions.


lawful processing

Lawful basis for processing data

Once you have itemised the personal data within your organisation, then ask yourself which of the following lawful reasons apply to each of the processing activities undertaken on the data. If none of numbers 1-5 apply, then you must seek consent. Medical data and other Special Category data requires explicit consent.

1. Performance of a contract entered into with the data subject

2. Legal Obligation which the Controller must comply with

3. Legitimate Interest of the Controller

4. Vital Interests of the data subject

5. Performance of a task carried out in the Public Interest

6. Consent – the organisation must be able to obtain, maintain and validate lawful consent received from the individual


A small business selling products has a database of around 3,000 contacts and wants to send those contacts a monthly newsletter with their new product information and special offers. Do they need to send all contacts an ‘opt-in’ to marketing email?

If the company can validate that all their contacts are or were customers or had previously asked for information on their products, and the company had an unsubscribe option in place, then probably not (as data was received from customer for either performance of contract, consent or legitimate interest). However, they must ensure that all new customers ‘opt-in’ to marketing emails and that the unsubscribe option is clear and easy to use.

If the company is not sure where some of its contacts came from, then those will require consent to receive marketing emails. In particular, if contact data were purchased from a third party, the third party has the duty to ensure that consent to sell or transfer their contact details was received from the data subject. If this cannot be confirmed, then consent to marketing is required.

Tracking consent

Where consent is required to process data, your systems must be set up to track and manage that consent, preferably with a description of how consent was given (e.g. during customer registration process or during a consultation). That way, an audit trail of consent is maintained which will assist in demonstrating your organisation’s compliance with data protection, if questioned.

Today’s fact:

In the ICO quarterly statistics from Q1 2018, out of 23 industry sectors, the Health sector had the highest numbers of data breaches for any sector – 677 out of a total 3146 reported incidents – 22% of the total.

Medical data is a Special Category of data and a therefore a higher standard for processing and seeking consent is in place. Individuals are much more aware and inquisitive about how their medical information is used.

=>You must understand your all responsibilities as a Data Controller. For Controllers processing Special Category data, your operational risk is increased. Regular internal reviews of procedures and compliance audits is highly recommended.

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited


Previous blogs in this series:
GDPR for Healthcare – an introduction
Data Protection Operational Risks and Penalties


Data Protection Operational Risks & Penalties

Data Protection Operational Risks & Penalties

In the second in our series of blogs from Karen Heaton of Data Protection 4 Business, she looks at the potential risks involved in GDPR and Data Protection Act (2018) non-compliance.

Operational Risks and Penalties

We all know about the potential for huge fines from the new EU General Data Protection Regulation (GDPR) and now the UK Data Protection Act 2018. These have been grabbing headlines for over a year in the lead up to Implementation-Day of 26th May 2018.

Most headline penalties are based on the highest maximum level of fines 4% of global annual turnover or Euro 20m, whichever is highest. But there is also a standard maximum level, which is 2% of global annual turnover or Euro 10m. Yes, both are hefty penalties – as they apply to turnover, not profits.

Higher level penalties can apply to any failure relating to: the data protection Principles; rights of the individual and data transfers to third countries.

Standard maximum level penalties can apply to infringement of administrative requirements of the regulations. So, breaches of controller or processor obligations, for example.

The size of the penalty will depend on a number of factors: the behaviour of the organisation; what steps have been taken to be compliant; how this can be demonstrated to the ICO and whether the organisational culture takes data protection seriously.

Information Commissioners Office

Data breach penalties

So, let’s look at some recent data breach penalties:

Heathrow Airport data breach loss of a USB stick in Oct 2017 – penalty of £120k was levied under the previous Data Protection Act 1998. The investigation by the ICO found:

  •  only 2% of the 6,500 strong workforce had been trained in Data Protection
  • there was widespread use of removable media (eg USB sticks, CDs) which contravened the company’s guidance
  •  ineffective controls were in place to prevent personal data from being downloaded onto unauthorised or unencrypted (removable) media

Bayswater Medical Centre – left sensitive data in an empty building in July 2015 – penalty of £35k levied under the previous Data Protection Act 1998. The investigation by the ICO found:

The data was left from July 2015 – February 2017 during which time access to the building was granted to other organisations. Emails to the medical centre about the unsecured data had not been actioned.

  • Examples of how poorly the data was secured in the empty building:
  • Patient identifiable data was lying on a desk and in a bin in one of the consultation rooms
  • Medical records stored in 2 unlocked cabinets with the keys left in the locks
  • Boxes of prescribed medication containing patient identifiable information left throughout the premises

The ICO found that the Centre had:

  • Failed to adhere to its own policies regarding security of medical records, patient confidentiality and confidential waste disposal
  • Failed to take adequate physical measures to secure the building
  • Failed to take any or any sufficient measures to secure the physical security of patient identifiable data in the building

Former hospital worker prosecuted for inappropriately accessing patient records in March 16 – January 17

  • She inappropriately accessed the records of 12 patients outside of her role as receptionist/general
  • She was prosecuted for unlawfully accessing personal data and unlawfully disclosing personal data under the Data Protection Act 1998 and additionally fined £230

What does this mean for your practice or organisation?

Well, a number of risk reduction steps should be taken: staff training in data protection; data handling guidelines; security procedures – physical and electronic; encryption of removable devices; restriction of data downloads; understanding your role – Controller/Processor; Data breach procedures; being able to demonstrate compliance with data protection regulations; building a culture of taking data protection seriously. There’s more. See our checklist!

Today’s fact. The ICO quarterly statistics on reported data security incidents found that in Q4 2017, four of the five leading causes (cases where the ICO took action) involved human errors and process (control) failures.

=> Employee training and data handling guidelines are ‘must haves’ for organisations processing Sensitive (ie Medical) Data.

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Our new GDPR for healthcare blog series

Our new GDPR for healthcare blog series

Earlier in the year our blog outlined some changes to expect in the EU General Data Protection Regulation (GDPR) which came into force on 26th May 2018.

What else happened? Well, on the same day, the UK introduced the UK Data Protection Act 2018 (DPA) which replaced the previous Data Protection Act 1998, and you will be assured to know that the core of the EU GDPR remains within our new 2018 Act (together with other UK specific provisions).

But have you done everything to ensure that you are compliant with the new data protection regulations? Here at Designated Medical, we aim to support you in all areas of your administration, so we’re delighted to introduce a new series of guest blogs from Karen Heaton, founder of Data Protection 4 Business, to guide you through the recent changes and what these mean in pragmatic terms, for your organisation or private medical practice.

GDPR and data protection for healthcare – Karen Heaton, Data Protection 4 Business

Sitting comfortably? Good. Then let’s begin.

Key changes

  • Increased penalties
    2 – 4% of global annual turnover, cessation of processing or, in severe cases, instigation of criminal proceedings. But you knew that already, right? We will take a look at the key risks which may give rise to high penalties.
  • Consent
    Additional conditions for obtaining and maintaining consent are now law. We all received sackfuls of emails from companies requesting our permission to remain on their marketing distribution list in the first half of 2018. But was this necessary? Well, that depends on your organisation and what data processing you undertake. We will look at examples of where consent is obviously required and where possibly not.
  • Data Breach notifications
    In certain instances, the relevant authority must be informed (in the UK, this is the Information Commissioners Office (ICO)). And within 72 hours of becoming aware. But what exactly constitutes a data breach that must be reported? Whose responsibility is it to report it? We will look at examples of breaches and discuss how to assess them.
  • Right to access (SAR)
    Data subject can request a free copy of personal data relating to them that your practice or organisation holds. For private medical practices, how does this compare with the Access to Medical Records Act 1988? For other organisations, what can or can’t I disclose? We will look at examples for both of these.
  • Accountability
    There is now a requirement to be able to demonstrate how your organisation or practice is compliant with GDPR and the DPA. This sounds simple, but what does it really mean? If ever audited or investigated, what would you show them? We will look at essential examples of what you should have in place to meet this requirement.
  • Data Protection Officers (DPO)
    Are you legally required to have a DPO? Probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority. But you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and DPA. We will look at the various activities and tasks your nominated person needs to take care of.
  • No-deal Brexit?
    We are tracking the implications of No Deal on the Brexit negotiations and will round off 2018 with our best guidance on how you may need to prepare for this, still unlikely, scenario.

Today’s fact: The ICO reported that there was a 31% increase in the number of Cyber security incidents reported in Jan – Mar 2018 compared to previous year. => Make sure your internet security is up to date!

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited



Further blogs in the series:
Data Protection Operational Risks and Penalties

Designated Medical are GDPR Ready!

Designated Medical are GDPR Ready!

Our commitment to GDPR


The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. Designated Group, including Designated Medical is well aware of its role in providing the right tools and processes to support its users and customers meet their GDPR mandates.

Designated Medical’s Commitment

At Designated Medical, we have always given our clients and contacts’ the right to data privacy and protection. We have never relied on advertising as a means to generate business and we have never sent direct advertising to our contact database, and never will.  This means that we have no necessity to collect and process our contact database’s personal information beyond what is required for the delivery of our services and to ensure we optimise how we can help and support them.

Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for data protection. All client sensitive data is saved in an encrypted storage facility which is tightly regulated.  We have also made significant investment into our IT infrastructure and we recognise that the GDPR will help us move towards the highest standards of operations in protecting customer data.

How is Designated Medical preparing for GDPR?

We have reviewed all our data and touch points where we collect data and have ensured that we are fully compliant by the time the regulation comes into effect.  Designated Medical also understands its obligation to help clients and contacts get ready for the big day and has published useful information to assist them in the process.

We have thoroughly reviewed GDPR requirements and have put in place a dedicated internal team to drive our company to meet them. Some of our ongoing initiatives are:

  • Identifying personal data – All our data is categorised and integrated with our marketing systems to ensure consent and accessibility.  We  have invested in systems to ensuring accuracy and control of data across all systems.
  • Providing visibility and transparency – The most important aspect of GDPR is how the collected data is used. Designated Medical’s key role is to provide our clients and contacts (the data subjects) with the access to effectively manage and protect their user data. Designated PA has contacted each and every contact allowing them access to opt in and out and update their personal information.
  • Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. As our clients tighten their data security measures, Designated Medical would like to extend a helping hand and have a team of marketing experts who can assist with GDPR compliance.  We have invested heavily in our IT infrastructure to ensure we maintain a high level of security and integrity.
  • Portability and transferability of data – GDPR gives data subjects the right to either receive all the data provided and processed by the data controller or transfer it to another controller depending on technical feasibility. With this new right in mind, Designated PA is able to export data at an individual level as required.

What does this mean for our clients?

We understand that meeting the GDPR requirements will take a lot of time and effort. And as your partner, we want to help you make your process as seamless as possible, so that you don’t have to worry about compliance and can focus more on running your business.  If you need assistance with implementing processes that are GDPR compliant, get in touch and our team of marketing experts can assist.  The Information Commissioner’s Office (ICO) have a self assessment tool for businesses which is definitely worth a read.

What should you do to be GDPR-ready?

If you are just getting started with GDPR compliance in your business, here’s a quick to-do list to keep in mind.  The ICO have also produced a 12 step process to preparing for the regulation here.

  • Create a data privacy team to oversee GDPR activities and raise awareness
  • Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
  • Identify the Personally Identifiable Information (PII)/Personal data that is being collected
  • Analyse how this information is being processed, stored, retained and deleted
  • Assess the third parties with whom you disclose data if
  • Establish procedures to respond to data subjects when they exercise their rights
  • Establish & conduct Privacy Impact Assessment (PIA)
  • Create processes for data breach notification activities
  • Continuous employee awareness is vital to ensure continual compliance to the GDPR

Are you GDPR ready?


Useful Information:

12 Steps to take now

Guide to General Data Protection Regulation

Key Definitions of GDPR

Data Protection Self Assessment Toolkit

New data law to boost trust

New data law to boost trust

Don’t get left behind on General Data Protection Regulation (GDPR). It’s happening on 25 May. Jane Braithwaite presents a very practical guide for any Independent Practitioner Today readers who have so far failed to react….

Mature businessman and young woman having a business meeting in the office, they are discussing togetherI hear you groan. Not another article on the EU’s General Data Protection Regulation (GDPR). It’s beginning to feel a lot like the millennium bug. Lots of noise, confusion and uncertainty. Are you tempted to just ignore and hope that it all goes away? Please don’t. I have attempted to write a very practical guide on GDPR, what it is and what we, as individuals responsible for medical practice management, can do to break through the panic and feel calm and perhaps even a little bit smug that we have it all in hand.

The problem with GDPR, like most regulations, is that there is no definitive solution. It’s like saying to parents that they must, by law, give their children a healthy diet and will be fined if they fail to do so.

Each individual interpretation of what constitutes healthy is different and research leads us down many different alleyways and we struggle to know what is accurate and what constitutes commercial opportunity.

Nobody can give us a set of rules to follow that ensure success. We have to interpret the information and make our own decisions. I am no expert and I do not pretend to be one, but I am sharing my understanding and my thoughts on how we can deal with this important issue.

Significant requirements

The GDPR will be implemented from 25 May 2018, replacing the UK’s Data Protection Act 1998 (DPA).

Now, although private medical practices should already be working in accordance with the DPA to manage patient records, the GDPR has some significant new requirements.

The GDPR applies to anyone who processes personal data relating to EU citizens. In the case of healthcare, this not only includes patient records, but any data related to employees and suppliers.

The consequences of not meeting the requirements, or failing to notify the authorities of a breach, could be harsh indeed. If a healthcare provider breaches the GDPR, they could face a fine of up to €20m or 4% of annual turnover.

Why is the GDPR being introduced?

The GDPR has two primary aims: to simplify regulation across the EU and to give individuals more control of their personal data.

It’s important to see the GDPR as more than a box-ticking exercise. It is really more of a cultural change to ensure that businesses are accountable and transparent with data.

In addition, healthcare has been shown to be particularly vulnerable to cyber crime in 2017 as evinced by the WannaCry NHS attack among others. Individuals are more concerned about the security and privacy of their data than ever.

The Information Commis­sioner’s Office (ICO) is the UK’s Data Protection Authority and its role is to ‘uphold information rights in the public interest’. In 2017, the ICO found that 80% of the public didn’t have trust or confidence in the companies storing their private data.

Adherence to the GDPR will help build patient trust, which is something all healthcare providers surely value.

Elizabeth Denham, the UK Information Commissioner in charge of the ICO, commented on the strong links between data privacy and data security.

She went on to underline the positive role of the GDPR: ‘Thinking that GDPR is about crippling financial punishment misses the point. GDPR is about enhanced rights for individuals.’

Who is responsible for implementing GDPR?

The new regulation applies to both ‘data controllers’ and ‘data processors’. The ICO defines the roles as follows: ‘A controller determines the purposes and means of processing personal data.

‘A processor is responsible for processing personal data on behalf of a controller.’

In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant or anyone who acts on the processor’s behalf.

What data is included in the GDPR?

Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations.

Medical photography is considered personal data, as are recorded phone calls and any social media interactions you may have with patients – although any communications made in this way will also be subject to additional guidance set out by the GMC.

You need to apply the same rules to personal data you may hold about employees and suppliers.

What are the main requirements of the GDPR?

Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:

Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.

Breach notifications – The ICO must be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the ‘rights and freedoms of individuals’.

Right to access – Data subjects – patients, in the case of private medical practices – have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose.
The controller is obliged to provide a free electronic copy of any personal data being held.

Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.

Data Protection Officers (DPO) – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the ‘regular and systematic monitoring of data subjects on a large scale’, or if the company is a public authority.

Penalties – Breaches of the GDPR can result in a fine of up to €20m or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations.

A company can also be fined up to 2% for less serious breaches.

See the EU GDPR portal for more information on all changes and requirements, including the full criteria for DPO appointments.

How will Brexit affect the GDPR?

The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside the EU will also need to comply with the regulation if they provide services to people residing in the EU.

In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU.

How do I assess my practice for compliance?

The ICO’s online self-assessments are an excellent tool for business managers or principal consultants who are unsure how compliant their practices are.

Top Tip

Read the ICO’s Preparing for the GDPR: 12 steps to take now. An 11-page illustrated PDF is a lot easier to assimilate than the full 300 pages of the GDPR itself.

There is no magic pill for meeting GDPR requirements, and it’s an ongoing process to ensure that your practice complies.

But there is a wealth of information available, and the ICO has shown a supportive and positive approach in order to help businesses protect personal data.

Jane Braithwaite is Managing Director at Designated Medical and regularly contributes to the Independent Practitioner Today publication.

[plsc_button url=”” target=”_self” color=”black” style=”flat” radius=”square” size=”st”]Download full article[/plsc_button]