The GDPR compliance countdown is ticking louder and faster. Whether you’re public or private sector, a dentist, GP, local authority or charity, your organisation has until 25th May 2018 to comply with the new General Data Protection Regulations (GDPR).
By then, make sure that:
Under the GDPR, you must select a lawful basis for each data process. For example, if you want to email direct marketing to patients or prospective patients, they have the right to object to the use of personal data for that kind of processing.
Consent, however, is only one lawful basis for the processing of personal data. Others include legitimate interests or performance of a public task – these two are often the more appropriate justifications for processing medical data.
But whichever way you plan to use patient data, you must only use it for the purposes you have told them. This information must be explained simply and accessed easily by patients.
Contracts with data processors are compliant by including the GDPR mandates
A data processor could be, for example, an outsourced cloud IT backup provider or payroll function that processes patient or staff data.
The legal responsibilities of data processors are now weighty, in comparison to the existing Data Protection Act. Yet it is still the responsibility of the data controller – i.e. the GP, dental practice or local authority etc – to make sure the data processor is GDPR compliant. And you must have a clear GDPR stipulation in your contract with them.
Your internal governance and security processes are robust
Keeping data secure is key to the GDPR. To avoid heavy fines and reputation loss, you want to avoid data breaches at all costs. Update your technology, encrypt data where possible, and update your Business Continuity and Disaster Recovery plans to accommodate GDPR.
The Information Commissioner’s Office has published a great resource for health and social care professionals on its website: https://ico.org.uk/for-organisations/health/