‘The leading UK event focusing on the design of mental health facilities’
The General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA) from 25 May 2018. From that date, compliance will be mandatory for any organisation that processes EU residents’ personal data.
The Regulation’s main objective is to strengthen data protection for individuals. It stresses that misusing healthcare data can have serious long-term repercussions for data subjects. In the event of a security breach, organisations that fail to demonstrate compliance with the Regulation can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.
Despite the greater scope of the new law, recent reports indicate that only 38% of businesses in the UK are aware of the GDPR. Of these, just over a quarter have begun to address the challenges that the Regulation presents.
Impact on health and social care
The core changes that the GDPR introduces for health and social care include:
A checklist of key steps that need to be taken by healthcare providers and their industry partners is available on our website.
The DPO role
A DPO will be mandatory for all public authorities and any organisation that carries out regular and systematic monitoring of data subjects, or processing of special categories of data on a large scale.
The GDPR is explicit about the DPO’s tasks, which include:
Organisations need to identify an appropriate individual to act as their DPO as they develop their compliance project, and provide adequate resources for them to complete their tasks.
First steps to achieving compliance
Organisations need to ensure board-level buy-in and should have a member of senior management involved in the compliance project from the outset. Healthcare organisations, including any NHS organisation, homecare and nursing, assisted living, dental practices and most healthcare industry organisations will also need to appoint a DPO.
After securing senior-level buy-in and assigning a budget to the project, an organisation should conduct a gap analysis to understand their current level of compliance with the GDPR. This will identify where the internal capabilities are and can identify the skilled staff who will be involved in the project.
Using the gap analysis, the designated personnel should identify and communicate a plan that prioritises critical-risk and high-impact areas. This should help to achieve cost-effective, top-level compliance within a structured framework.
Achieving GDPR compliance is a significant project for any organisation and the additional requirements for healthcare organisations complicates the process. Many organisations across the EU will not fully comply by the May deadline, so they will need to demonstrate that they are taking steps to achieve compliance.
A key way to demonstrate that an organisation is working to achieve compliance is to begin remediation actions by implementing a well-recognised information security framework. These frameworks include Cyber Essentials certification, 10 Steps to Cyber Security and ISO 27001.
Organisations need to have managers who understand the GDPR’s requirements and are well equipped to plan, implement and maintain a compliance programme.
Our GDPR Foundation and Practitioner training courses offer a structured learning path to equip managers with the specialist knowledge and skills needed to deliver GDPR compliance.
More information on the steps that health and social care organisations need to take in planning and implementing compliance strategies are available on our website or by calling us.
Discover how to comply with GDPR articles 15: the Right to Access, Article 20: the Right to Data Portability and Article 32: the Security of Processing, mitigate the risk of data breach and reduce costs, on average, by £50,000 PA.