The GDPR compliance countdown is ticking louder and faster. Whether you’re public or private sector, a dentist, GP, local authority or charity, your organisation has until 25th May 2018 to comply with the new General Data Protection Regulations (GDPR).
By then, make sure that:
Key documents like consent forms are compatible with your stated privacy policy.
Under the GDPR, you must select a lawful basis for each data process. For example, if you want to email direct marketing to patients or prospective patients, they have the right to object to the use of personal data for that kind of processing.
Consent, however, is only one lawful basis for the processing of personal data. Others include legitimate interests or performance of a public task – these two are often the more appropriate justifications for processing medical data.
But whichever way you plan to use patient data, you must only use it for the purposes you have told them. This information must be explained simply and accessed easily by patients.
Contracts with data processors are compliant by including the GDPR mandates
A data processor could be, for example, an outsourced cloud IT backup provider or payroll function that processes patient or staff data.
The legal responsibilities of data processors are now weighty, in comparison to the existing Data Protection Act. Yet it is still the responsibility of the data controller – i.e. the GP, dental practice or local authority etc – to make sure the data processor is GDPR compliant. And you must have a clear GDPR stipulation in your contract with them.
Your privacy policy is transparent and fit for purpose
The GDPR demands clarity and simplicity in privacy policies – or privacy notices as they’re sometimes called. You must write your privacy policy so that patients and staff understand quickly and easily who you are and what you plan to do with their personal data.
Check out this blog to find out “How to write a GDPR compliant privacy notice.”
Your internal governance and security processes are robust
Keeping data secure is key to the GDPR. To avoid heavy fines and reputation loss, you want to avoid data breaches at all costs. Update your technology, encrypt data where possible, and update your Business Continuity and Disaster Recovery plans to accommodate GDPR.
The Information Commissioner’s Office has published a great resource for health and social care professionals on its website: https://ico.org.uk/for-organisations/health/
If you think you need more formal training, Me Learning has developed online GDPR courses to help train health and social care professionals . To find out more click here.