Do I need a Data Protection Officer?

Do I need a Data Protection Officer?

In our blog today, from Karen Heaton at Data Protection 4 Business, we look at Data Protection Officers? But do you need one?

Well… probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority.
Ok, you don’t. BUT you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and the Data Protection Act. So, somebody needs to be responsible!

Responsible for what?

Even for small and medium sized organisations, someone will need to be skilled and available to undertake these tasks:

  • Responding to Subject Access Requests and managing Data Breaches
  • Reviews of security – physical and IT
  • Making sure your organisation is compliant or has a work plan to become compliant
  • Training staff in all areas and respond to any queries from clients, suppliers or staff – remember the lessons from Data Breaches in our earlier blog? Staff can be a high source of data breaches – unintentionally or not!
  • Working across all business functions, such as IT, Marketing, Finance and operations to understand the data in use and ensure operational procedures are in place
  • Policing the operations to ensure procedures are being followed AND are effective

What skills are needed? Can this be outsourced? Absolutely yes.

A good DPO should be able to wear many hats and have a wide range of skills.

  • Strong IT knowledge, detailed understanding of the regulations, know what ‘being compliant’ looks like and good project management skills to manage the changes needed within an organisation
  • Be active in the Data Protection space, follow trends, keep abreast of risks and continually scan for solutions e.g. software products to automate tasks
  • Save you time and money. For small and medium sized organisations, training up a member of staff or a small team can be costly and time consuming, so outsourcing can be a cost-effective solution
  • Support your organisation in Data Protection Impact Assessments to identify business risks
  • Be independent and objective. A key requirement of the role according to the regulations

Internal resource or an outsourced service?

This depends on a number of factors and it can be a long list! But it mainly boils down to a) what risks your organisations may be running and b) what skills your resources have.

? What are your data risks? Do you process Sensitive or Child data? Do you store financial details?
? How many customers, staff, suppliers do you have?
? Where are your data stored?
? Do you sell things via your website?
? Is your industry a target for cyber attacks?

There’s a lot to think about, that’s for sure.

Today’s fact. According to the GDPR and Data Protection Act, the DPO role can be outsourced to another organisation.

=> This may be a more efficient solution for your business. However, do check their credentials first!

Karen Heaton Data Protection 4 Business


Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Data Protection for Business offers outsourced data protection officer services:


Previous blogs in the series:


GDPR and Data Protection Accountability – How can you demonstrate your compliance?

GDPR and Data Protection Accountability – How can you demonstrate your compliance?

In our blog from Karen Heaton of Data Protection 4 Business today, we look at Accountability, one of the Seven Principles of GDPR and the Data Protection Act 2018.

What is it?

Accountability is your requirement to demonstrate how your organisation or practice is compliant with the regulations.

This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show the investigators?

Let’s take a look at the route to Data Protection compliance and some essential measures that organisations should have in place to meet this requirement.

route to GDPR compliance

What is the minimum you might need to meet the Accountability requirements?

1. Ensure your employees have some training in Data Protection – this is the responsibility of the Controller

  • We discussed the causes of Data Breaches:  30% – 40% are due to employees.

2. Do you know what data you hold? We discussed Know Your Data (KYD) in our blog on Data Breaches

  • why you have that data
  • what you do with it
  • who sees it
  • where it is kept

3. Understand Your role – this determines what your responsibilities are

  • are a Data Controller, Data Processor or both (highly likely)

4. Have essential operational policies and procedures (measures) in place to deal with:

  • Data breaches
  • Subject Access requests
  • Management of consent

5. Have you communicated your Privacy Notices to clients, employees, suppliers?

6. Do you need to Register with the Information Commissioners Office (probably)?

  • Use the checklist from the ICO
  • The fees are explained here– SME’s fees range from £40 – £60 per annum

7. Decide who will be responsible for Data Protection within your organisation – it must be someone!

Today’s fact: 

The ICO use a number of factors to decide what fines (or other actions) to take against organisations.  In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.

=> Put the essential operational measures in place now to avoid issues in the future.

See you next week!


Karen Heaton Data Protection 4 Business





Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series:

GDPR and Subject Access Requests

GDPR and Subject Access Requests

Our fifth blog from Karen Heaton of Data Protection 4 Business covers how to handle a request from a patient or customer for details of the information that you hold on them.

In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them.  Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!

A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records.  Ok, do I have your attention now?  Even for a small organisation, that can amount to a lot of data.

Oh, and you have one calendar month to respond.

So, what must you provide and what is exempt?  Well, let’s see…

What information must I provide?

You must provide the following long list of information in relation to the personal data being processed as well as the data itself:

  • the purposes of your processing
  • the categories of personal data concerned
  • the recipients or categories of recipient you disclose the personal data to
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
  • the existence of their right to request rectification, erasure or restriction or to object to such processing
  • information about the source of the data, where it was not obtained directly from the individual
  • the existence of automated decision-making (including profiling)
  • the safeguards you provide if you transfer personal data to a third country or international organisation
  • the right to lodge a complaint with the ICO or another supervisory authority

I have a question or two:  would you know where to find the data? Would you be able to respond to the other information points above regarding the data you hold?  This is not a simple task and can amount to an operational headache for many organisations.

What information can I withhold?

The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?).  For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting.  How easily can your organisation find, review and redact third party information?

Other examples of exempted information:

Specific information regarding medical organisations

Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.

Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable):
Requests from Solicitors acting on behalf of a Patient

The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practice will be able to lawfully decline such requests. In this instance, you should ask the person acting on their behalf if there is specific data that they require, for example, are they requesting data covering a specific time period or illness or operation?  This is a valid question for you to ask if the patient data file is substantial.

Tip:  Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party. 

If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.

Requests from an Insurance company

The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.

So, that scenario is a bit more clear cut.

The bottom line is….

Your organisation or medical practice must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective.   Don’t wait until you receive one to work out how it should be done.  The clock starts ticking from the day you receive the request.


Today’s fact.   Access to your data is a basic Right under GDPR and Data Protection Act 2018.   A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request. Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.

=>   This is worst case scenario and easily avoided.  Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.

See you next week!

Karen Heaton Data Protection 4 Business



Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series:

GDPR and data processing

GDPR and data processing

In the third in our GDPR for healthcare blog series, Karen Heaton of Data Protection for Business discusses how to ensure that you are processing data lawfully and the necessity to track the data subjects’ consent.

How many emails did you receive in the run up to 25th May this year about ‘opt-ins’ to receive marketing? I, for one, enjoyed a clear out of my junk mail. Now, only products and services I am actually interested in arrive in my Inbox. Not only that, but now organisations have to take my unsubscribe request seriously. This was clearly not the case in the past.

But were all these emails necessary? Well, that depends on the lawful basis you have for processing an individual’s data and also how you received an individual’s data.

So, to answer this question, you need first to understand a) your data and b) your lawful basis for using that data.

Understanding your data

This is the crux of data protection compliance. Without properly mapping out your data, you will struggle to be compliant with all aspects of data protection. Why? Because if you cannot answer the basic questions of….

  • What type of data you have – personal data, or Special Category data – Sensitive / Child
  • Where did you source the data
  • Who has access to that data
  • Which processing activities do you undertake on that data – sending marketing messages, sharing with third parties, analysing data for demographics or other profiling types of activities
  • Lawful basis for processing
  • Which country is it stored in

….then you may be asking for consent unnecessarily, or not asking for consent when you should be. As well as a raft of other non-compliant activities, by the way (and it’s a long list!).

In short, you are risking a breach of the core Principles of data protection which, as we learned in last week’s blog, attract: higher level fines; risk of prosecution; audits by the ICO and restriction of business activities. For medical practices, in particular, and client facing businesses in general, there is the potential for non-trivial reputational damage from any of these actions.


lawful processing

Lawful basis for processing data

Once you have itemised the personal data within your organisation, then ask yourself which of the following lawful reasons apply to each of the processing activities undertaken on the data. If none of numbers 1-5 apply, then you must seek consent. Medical data and other Special Category data requires explicit consent.

1. Performance of a contract entered into with the data subject

2. Legal Obligation which the Controller must comply with

3. Legitimate Interest of the Controller

4. Vital Interests of the data subject

5. Performance of a task carried out in the Public Interest

6. Consent – the organisation must be able to obtain, maintain and validate lawful consent received from the individual


A small business selling products has a database of around 3,000 contacts and wants to send those contacts a monthly newsletter with their new product information and special offers. Do they need to send all contacts an ‘opt-in’ to marketing email?

If the company can validate that all their contacts are or were customers or had previously asked for information on their products, and the company had an unsubscribe option in place, then probably not (as data was received from customer for either performance of contract, consent or legitimate interest). However, they must ensure that all new customers ‘opt-in’ to marketing emails and that the unsubscribe option is clear and easy to use.

If the company is not sure where some of its contacts came from, then those will require consent to receive marketing emails. In particular, if contact data were purchased from a third party, the third party has the duty to ensure that consent to sell or transfer their contact details was received from the data subject. If this cannot be confirmed, then consent to marketing is required.

Tracking consent

Where consent is required to process data, your systems must be set up to track and manage that consent, preferably with a description of how consent was given (e.g. during customer registration process or during a consultation). That way, an audit trail of consent is maintained which will assist in demonstrating your organisation’s compliance with data protection, if questioned.

Today’s fact:

In the ICO quarterly statistics from Q1 2018, out of 23 industry sectors, the Health sector had the highest numbers of data breaches for any sector – 677 out of a total 3146 reported incidents – 22% of the total.

Medical data is a Special Category of data and a therefore a higher standard for processing and seeking consent is in place. Individuals are much more aware and inquisitive about how their medical information is used.

=>You must understand your all responsibilities as a Data Controller. For Controllers processing Special Category data, your operational risk is increased. Regular internal reviews of procedures and compliance audits is highly recommended.

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited


Previous blogs in this series:
GDPR for Healthcare – an introduction
Data Protection Operational Risks and Penalties


E for easy learning: top healthcare podcasts

E for easy learning: top healthcare podcasts


Jane Braithwaite shows how to make the most of the world of podcasts at your disposal.

Our busy lives mean that we do not always have the time to sit down and enjoy listening to and watching the things we are interested in. Who among us is not guilty of recording and downloading TV programmes and never getting around to watching them? Perhaps this is the reason why, according to Radio Joint Audience Research (RAJAR), podcasts are now downloaded by more than 4.5m adults in the UK alone.

Podcasts can be neatly described as online radio broadcasts on demand, with the word ‘podcast’ itself being a combination of ‘iPod’ and ‘broadcast’.

Users can subscribe to online channels and have episodes of their favourite podcasts – available as both audio and video broadcasts – automatically down­loaded to their devices, much like a subscription to a journal or magazine.

Of course, for many people, listening to a podcast is not a necessity but a pleasure, and a quick look at iTunes shows the huge number of podcasts classed as comedy or games and hobbies.

Well-known organisations such as the BBC offer a large library of programmes. Whether you are after drama, sport, politics or factual programmes, all tastes are catered for and the online homes of radio stations such as talkRADIO also hold archives of their popular programmes.

However, for a busy private medical practitioner, podcasts can be an opportunity to catch up on developments in their area of expertise or in healthcare in general, and even clock up some valuable hours for continuing professional development (CPD) requirements.

Continuing professional development

The GMC considers CPD to be any learning outside of undergraduate or postgraduate courses that supports doctors in improving and maintaining their performance, which includes both formal and informal learning.

So as well as being a way to update yourself on industry developments, podcasts can also be a valuable tool when it comes to education and CPD.

Many of the royal colleges recognise the importance of e-learning and also recognise the benefits of podcasts.

Several of these institutions publish regular free content for their members.

Some sources are also freely available to non-members – the Royal College of General Pract­itioners, the Royal College of Emer­gency Medicine, and the Royal College of Psychiatrists, for example.

Their online libraries are extensive and of high quality. RCPsych, for instance, has an online library of over 100 peer-reviewed podcasts to support CPD on the go, providing a great source of information to help members improve their knowledge, hone new skills and keep up to date with new research.

Another example is the RCGP, which runs a programme that contributes to CPD: the Essential Knowledge Update programme.

Ideal for the busy GP, this programme’s podcast provides practitioners with a biannual update that focuses on the very latest updates in terms of regulations and information and provides GPs with support in terms of how to apply new knowledge in the clinical setting.

These podcasts usually feature the authors of the programmes modules, whose knowledge of the subject helps to provide a deeper level of expertise.

As well as being a great way to address the learning and development needs of a medical practitioner, these podcasts are a cost-effective source of learning.There are, of course, costs associated with society membership, so why not take advantage of all the sources these prestigious organisations have to offer?

Top talent

When the topic at hand is developments in healthcare and the podcast is being listened to with a view to being educated, it is imperative that the content is of high standard.

In addition to royal colleges, there are many high-profile organisations that produce podcasts; The Lancet, TED Talks, British Medical Association, the British Medical Journal and the New England Journal Medicine to name but a few.

These organisations can attract top talent and field experts, and can be an invaluable source of information for anyone in the healthcare industry, from medical students revising for exams to consultants looking to maintain their level of knowledge.

Utility, versatility, accessibility

So we have established that the information is available and the standard is high, but what other factors can be taken into account? Why are podcasts so popular and why are they particularly useful to medical professionals?

Research carried out in 2010 by Schreiber et al has suggested that although there does not seem to be a real difference in terms of information retention, face-to-face learning is preferred in relation to engaging with the expert/teacher. But podcasts have an undeniable benefit in terms of reinforcing learning and accessibility.

Other studies, such as Ruiz et al’s 2006 examination of e-learning in medical education, support this.Their findings indicate that satisfaction rates are higher for e-learning in comparison to traditional learning, with factors such as ease of access and use being a major factor.

In addition to this, research conducted by the investment intelligence firm Edison gives weight to the idea of ease of access being a key factor in utilising audio technologies. It suggests that a third of all podcasts are listened to while on the go when travelling or commuting, or when carrying out other activities.

So commuting is suddenly an opportunity to catch up on the latest developments in healthcare. Taking the dog for a walk can now double up as prime time to listen to that documentary on rare diseases that you missed last week.

Of course, for today’s busy private practitioner, this is where the true value of listening to educational podcasts lies. Whether it is a bite-sized update on data governance regulations or a lengthy debate on topical healthcare issues, taking in the information can easily be done at the same time as making dinner or a gym session.

And this is the beauty of the podcast: the fact that it can be accessed anytime and anywhere. And when this is considered alongside high-quality content, there really is no better way to maintain one’s knowledge in the context of a hectic and busy schedule.

How to get the best out of podcasts

    • Set achievable goals. What do you hope to achieve? If you are listening to educational podcasts with a view to building up CPD hours, make sure you document your learning in some way. You could try collecting evidence of your learning by producing written reflections, for example.
    • Stay motivated. Consider putting together a schedule; set aside a certain number of hours per week to help you achieve your goal.
    • Consider materials published by journals. Do you subscribe to any scientific magazines or journals? If so, check out their websites for any downloadable podcast content. In fact, these are often available free of charge to non-subscribers too
    • Choose your app. There are many apps available to download that help you manage your podcasts. Take a few minutes to browse through your device’s app store and see what is on offer
    • Seek out peer-reviewed content. If you are a member of a royal college, take advantage of their online libraries. The content, including podcasts, is usually peer-reviewed and free of charge to members
    • Download your programme ahead of schedule. Who needs technical difficulties when time is of the essence? Avoid the issues associated with unreliable internet connectivity by download­ing your favoured podcast ahead of time. You are then at liberty to listen without buffering, glitches or even a sudden change in your own schedule
    • Consolidate your learning. Take advantage of other materials and sources that help to consolidate your learning. Some sources offer other online materials that allow you to test your knowledge retention; an ideal way to self-assess. You could also discuss your findings with colleagues, either offline or in online discussion forums
    • Put your learning into practice. Think about how can you apply your new-found knowledge to your everyday work
    • Be proactive. Try to stay attentive, asking yourself questions as you listen. If you are listening to a live podcast, you might have the opportunity to engage directly with the host, but if you are listening offline, try making notes – even if it is a mental one
    • Enjoy! With so many podcasts out there to choose from, you really are spoilt for choice. If you find you are not engaged with a programme, seek out something new

Jane Braithwaite is Managing Director at Designated Medical and regularly contributes to the Independent Practitioner Today publication.

[plsc_button url=”” target=”_self” color=”black” style=”flat” radius=”square” size=”st”]Download full article[/plsc_button]

January Stay Connected

Subscribe To "Stay Connected" our Monthly Medical Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!