GDPR and Data Protection Accountability – How can you demonstrate your compliance?

GDPR and Data Protection Accountability – How can you demonstrate your compliance?

In our blog from Karen Heaton of Data Protection 4 Business today, we look at Accountability, one of the Seven Principles of GDPR and the Data Protection Act 2018.

What is it?

Accountability is your requirement to demonstrate how your organisation or practice is compliant with the regulations.

This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show the investigators?

Let’s take a look at the route to Data Protection compliance and some essential measures that organisations should have in place to meet this requirement.

route to GDPR compliance

What is the minimum you might need to meet the Accountability requirements?

1. Ensure your employees have some training in Data Protection – this is the responsibility of the Controller

  • We discussed the causes of Data Breaches:  30% – 40% are due to employees.

2. Do you know what data you hold? We discussed Know Your Data (KYD) in our blog on Data Breaches

  • why you have that data
  • what you do with it
  • who sees it
  • where it is kept

3. Understand Your role – this determines what your responsibilities are

  • are a Data Controller, Data Processor or both (highly likely)

4. Have essential operational policies and procedures (measures) in place to deal with:

  • Data breaches
  • Subject Access requests
  • Management of consent

5. Have you communicated your Privacy Notices to clients, employees, suppliers?

6. Do you need to Register with the Information Commissioners Office (probably)?

  • Use the checklist from the ICO
  • The fees are explained here– SME’s fees range from £40 – £60 per annum

7. Decide who will be responsible for Data Protection within your organisation – it must be someone!

Today’s fact: 

The ICO use a number of factors to decide what fines (or other actions) to take against organisations.  In fact, when submitting Data Breach information to the ICO, organisations must answer questions about staff training and the operational measures that were in place to prevent breaches.

=> Put the essential operational measures in place now to avoid issues in the future.

See you next week!


Karen Heaton Data Protection 4 Business





Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series:

Our new GDPR for healthcare blog series

Our new GDPR for healthcare blog series

Earlier in the year our blog outlined some changes to expect in the EU General Data Protection Regulation (GDPR) which came into force on 26th May 2018.

What else happened? Well, on the same day, the UK introduced the UK Data Protection Act 2018 (DPA) which replaced the previous Data Protection Act 1998, and you will be assured to know that the core of the EU GDPR remains within our new 2018 Act (together with other UK specific provisions).

But have you done everything to ensure that you are compliant with the new data protection regulations? Here at Designated Medical, we aim to support you in all areas of your administration, so we’re delighted to introduce a new series of guest blogs from Karen Heaton, founder of Data Protection 4 Business, to guide you through the recent changes and what these mean in pragmatic terms, for your organisation or private medical practice.

GDPR and data protection for healthcare – Karen Heaton, Data Protection 4 Business

Sitting comfortably? Good. Then let’s begin.

Key changes

  • Increased penalties
    2 – 4% of global annual turnover, cessation of processing or, in severe cases, instigation of criminal proceedings. But you knew that already, right? We will take a look at the key risks which may give rise to high penalties.
  • Consent
    Additional conditions for obtaining and maintaining consent are now law. We all received sackfuls of emails from companies requesting our permission to remain on their marketing distribution list in the first half of 2018. But was this necessary? Well, that depends on your organisation and what data processing you undertake. We will look at examples of where consent is obviously required and where possibly not.
  • Data Breach notifications
    In certain instances, the relevant authority must be informed (in the UK, this is the Information Commissioners Office (ICO)). And within 72 hours of becoming aware. But what exactly constitutes a data breach that must be reported? Whose responsibility is it to report it? We will look at examples of breaches and discuss how to assess them.
  • Right to access (SAR)
    Data subject can request a free copy of personal data relating to them that your practice or organisation holds. For private medical practices, how does this compare with the Access to Medical Records Act 1988? For other organisations, what can or can’t I disclose? We will look at examples for both of these.
  • Accountability
    There is now a requirement to be able to demonstrate how your organisation or practice is compliant with GDPR and the DPA. This sounds simple, but what does it really mean? If ever audited or investigated, what would you show them? We will look at essential examples of what you should have in place to meet this requirement.
  • Data Protection Officers (DPO)
    Are you legally required to have a DPO? Probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority. But you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and DPA. We will look at the various activities and tasks your nominated person needs to take care of.
  • No-deal Brexit?
    We are tracking the implications of No Deal on the Brexit negotiations and will round off 2018 with our best guidance on how you may need to prepare for this, still unlikely, scenario.

Today’s fact: The ICO reported that there was a 31% increase in the number of Cyber security incidents reported in Jan – Mar 2018 compared to previous year. => Make sure your internet security is up to date!

See you next week!

Karen Heaton Data Protection 4 Business

Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited



Further blogs in the series:
Data Protection Operational Risks and Penalties

Establish, Grow Your Private Practice

Establish, Grow Your Private Practice

When I joined Designated Medical I had the undisputed pleasure of ditching the daily Cambridge London commute to become a virtual Business Development Manager with the aim of helping consultants establish and grow their private practice, as we say in our recruitment advert “What’s Not To Like?”

The invitation by Oxford & Cambridge Medical Management Courses for Designated Medical to sponsor and speak at their March course in Cambridge was a commute that I reckoned I could manage, but who knows with Cambridge traffic 😉.

Medical Management Course Not to be Missed

For Senior Registrars (ST6-7) and new consultants this is a packed 2-day medical management course not to be missed. Not only is the content excellent but the venue at St Catherine’s College Cambridge and the intimate nature of the course sets it apart. Best of all there’s lots of time to get to know your colleagues and interact.  Dinner is in the Senior Combination Room with stunning views over the College’s Main Court and of course, grace in Latin!

The course is the brainchild of Urologists Oliver Wiseman from the Cambridge Urology Partnership and Ben Turney from Oxford Urology Associates both with recent experience of setting up successful private practice groups. This is a combination that really works and the course content is perfectly tailored to prepare senior trainees and new consultants for the non-clinical components of consultant life.

The course covers;

  • business planning
  • a medicolegal workshop
  • NHS contracts
  • a management workshop
  • a private practice workshop.

Spread over 2 days there is plenty of time for discussions and debates with the organisers and the invited speakers. So that the delegates get a real taste of senior management and private practice.

Industry Experts

There is also the opportunity to meet industry experts and really get to grips with issues. Topics such as personal taxation, the legal aspects of patient consent, medical indemnity, the importance of timely billing and collection for private practice.  In addition, the pivotal role of the private medical secretary. That special relationship that can build a thriving private practice.

Grow your Private Practice

I talked about how to ‘Establish and Grow your Private Practice by providing a high class service to patients’.   My favourite slide is ’60 and counting’.  It’s so much more that answering the phone and booking theatre and clinic appointments!

Grow Your Private Practice

So, a big thanks to Ben and Olly for inviting Designated Medical to be part of the course and for those of you who would like to know more, check out the next course this year at –

January Stay Connected

Subscribe To "Stay Connected" our Monthly Medical Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!