ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards.
Practical advice and first steps towards planning and implementing a GDPR compliance programme for healthcare
The General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA) from 25 May 2018. From that date, compliance will be mandatory for any organisation that processes EU residents’ personal data.
The Regulation’s main objective is to strengthen data protection for individuals. It stresses that misusing healthcare data can have serious long-term repercussions for data subjects. In the event of a security breach, organisations that fail to demonstrate compliance with the Regulation can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.
Despite the greater scope of the new law, recent reports indicate that only 38% of businesses in the UK are aware of the GDPR. Of these, just over a quarter have begun to address the challenges that the Regulation presents.
Impact on health and social care
The core changes that the GDPR introduces for health and social care include:
- New accountability requirements mean organisations must demonstrate compliance with the Regulation. Healthcare providers will be required to keep records of all data processing activities.
- Public authorities, as well as any organisation that processes large amounts of sensitive data, will be required to appoint a data protection officer (DPO).
- Data protection impact assessments (DPIAs) will be required for high-risk data processing.
- In most cases, organisations will not be able to charge for subject access requests (SARs).
- Organisations will need to report data breaches that result in a risk to the rights and freedoms of data subjects to the Information Commissioner’s Office (ICO) within 72 hours.
- The maximum penalty for non-compliance with the GDPR is significantly greater than those possible under the DPA.
A checklist of key steps that need to be taken by healthcare providers and their industry partners is available on our website.
The DPO role
A DPO will be mandatory for all public authorities and any organisation that carries out regular and systematic monitoring of data subjects, or processing of special categories of data on a large scale.
The GDPR is explicit about the DPO’s tasks, which include:
- Informing and advising the organisation of its obligations under the GDPR;
- Monitoring an organisation’s compliance with the GDPR;
- Advising on the necessity, implementation and outcomes of DPIAs;
- Serving as the contact point for data protection authorities and data breach reporting; and
- Serving as the contact point for data subjects on privacy matters and data subject access requests (DSARs).
Organisations need to identify an appropriate individual to act as their DPO as they develop their compliance project, and provide adequate resources for them to complete their tasks.
First steps to achieving compliance
Organisations need to ensure board-level buy-in and should have a member of senior management involved in the compliance project from the outset. Healthcare organisations, including any NHS organisation, homecare and nursing, assisted living, dental practices and most healthcare industry organisations will also need to appoint a DPO.
After securing senior-level buy-in and assigning a budget to the project, an organisation should conduct a gap analysis to understand their current level of compliance with the GDPR. This will identify where the internal capabilities are and can identify the skilled staff who will be involved in the project.
Using the gap analysis, the designated personnel should identify and communicate a plan that prioritises critical-risk and high-impact areas. This should help to achieve cost-effective, top-level compliance within a structured framework.
Achieving GDPR compliance is a significant project for any organisation and the additional requirements for healthcare organisations complicates the process. Many organisations across the EU will not fully comply by the May deadline, so they will need to demonstrate that they are taking steps to achieve compliance.
A key way to demonstrate that an organisation is working to achieve compliance is to begin remediation actions by implementing a well-recognised information security framework. These frameworks include Cyber Essentials certification, 10 Steps to Cyber Security and ISO 27001.
Organisations need to have managers who understand the GDPR’s requirements and are well equipped to plan, implement and maintain a compliance programme.
Our GDPR Foundation and Practitioner training courses offer a structured learning path to equip managers with the specialist knowledge and skills needed to deliver GDPR compliance.
More information on the steps that health and social care organisations need to take in planning and implementing compliance strategies are available on our website or by calling us.