Data security and the General Data Protection Regulations (GDPR) - get ready now!

Earlier this month that the Government announced that the forthcoming European privacy rules set out in the General Data Protection Regulation (GDPR) will come into British law and update the existing Data Protection Act. This impacts on everyone, including GP practices.

The announcement confirmed that the EU’s GDPR will become active in this country, irrespective of what happens with ‘Brexit’. Practices need to act now ahead of the GDPR coming into full force on 25 May 2018. It is arguably the most important data legislation change of recent times and the task of keeping data safe is now more vital than ever before.

What can practices do to prepare for the May 2018 deadline?

Practice Index have come up with the following advice:

  1. Don’t panic

    There is no need to fear the GDPR. Many of its main concepts and principles are much the same as those in the current Data Protection Act (DPA). If you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR. This is a good starting point on which to build.

    There are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. A good starting point is the Information Commissioner’s Office’s (ICO) helpful 12-step guide to get you started
  1. Learn what’s covered

    According to the main GDPR website, the regulations apply to personal data. This includes: names, photos, email addresses, bank details, posts on social networking websites, medical information and computer IP addresses.

    It is therefore vitally important to ensure that you collect and store confidential data and client contact data in accordance with the GDPR. This doesn’t mean that you should discard any data that has not been gathered with a GDPR compliant process. However, you must contact those individuals again to request the appropriate consent. If you work with children, you will need to gain parental or guardian consent in order to process their data lawfully.
  1. Learn the basic principles

    According to the ICO, the GDPR centres around ‘controllers’ and ‘processors’. Effectively, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

    The GDPR places specific legal obligations on processors. eg, they are required to maintain records of personal data and processing activities and will have significantly more legal liability if they are responsible for a breach. These obligations for processors are a new requirement under the GDPR so you will need to make sure you are up to date with them.
  1. Be proactive!

    Central advice on how the GDPR will affect centralised databases and the users of them in the NHS seems to be scarce at the moment. Be proactive if you have yet to receive any advice and ask for the information you need, finding out what you need to do early will be extremely helpful.
  1. Get everybody on board

    GDPR and data protection requires buy-in from everyone in the practice team. It is likely that meeting GDPR needs will also involve changes to processes, so getting people onside will aid with change management. Understanding the tasks involved will also be vitally important.
  1. Appoint a DPO (Data Protection Officer)

    You may need to appoint a dedicated DPO, who will be responsible for GDPR compliance. You will also need to ensure that everybody is clear as to their rights and responsibilities in relation to processes and procedures.
  1. Understand your data

    Once you’re ready to make a start in ensuring your practice is GDPR compliant the first stage is all about understanding your data. What data do you hold? How do you collect it? Where and how is that data stored? Who has access to it? How is the data currently used? Try to be as clear and as detailed as possible.
  1. Compare

    The ICO recommends that once you understand what your current data set-up is like, you compare it against the GDPR requirements. This will help you identify any gaps in your processes.
  1. Rights and requests

    One of the key elements of the new law is all about individuals’ rights – including the right to be forgotten. You will need to check your procedures to ensure they cover all the rights that individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. You should also update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  1. Plan for the worst

    The threat of cyber attacks is growing. As NHS organisations are a prime target for attack, it’s highly likely that GP practices will be the next victims. Plan for the worst and use a ‘when it happens’ not an ‘if it happens’ approach to dealing with a cyber attack.

    The GDPR states that you must inform the relevant authorities (ICO and NHS) of a data breach, within 72 hours of becoming aware of the breach. The information must include:
  • the types of data that were leaked
  • the number of registered parties the leak involved
  • the consequences of the breach to those registered parties
  • what has been done to ensure that the breach does not happen again
  • the methods of informing the data leakage – public announcement, personal letter or emails.
  1. Make it an ongoing task

    Data privacy and compliance with the GDPR is not a short-term obligation. Ongoing monitoring and compliance will be essential. This is where a DPO really comes into their own. The DPO will be vital in ensuring processes do not get ignored and good practice is followed at all times.

Overall, the GDPR will be an admin burden for practices, but in so many ways it’s all about processes and procedures and isn’t as daunting as it perhaps seems at first glance.

This information was produced with the kind permission of Practice Index, an organisation set up to support GP Practice Managers at medical practices throughout the UK. Visit https://practiceindex.co.uk/gp/ for further information.

Last updated : 25 Oct 2017

 

Department of Health and Social Care rejects merger of Community Health Partnerships and NHS Property Services (19 Feb 2018)

The Department of Health and Social Care (DHSC) has rejected the proposed merger between NHS Property Services (NHSPS) and Community Health Partnerships (CHP), which was one of the recommendations of...
Read more »

Tips on submitting childhood immunisations (0-5) data to Open Exeter (19 Feb 2018)

At our recent finance event for GPs and practice managers NHS England London’s vaccinations and immunisations team gave the following advice to practices when submitting their childhood immunisations (0-5) data...
Read more »

Tips of the Month February 2018 (16 Feb 2018)

We provide weekly tips based on common queries which come through to us from London GPs and practice teams. These are shared via social media and collated for...
Read more »

General Data Protection Regulation (GDPR) – further guidance now available (16 Feb 2018)

The Information Governance Alliance (IGA), which includes the Department of Health, NHS England, NHS Digital and Public Health England, is in the process of producing guidance for GDPR ahead of...
Read more »

Practice resources for children and young people (16 Feb 2018)

Healthy London Partnership (HLP), brings together London CCGs, NHS England and other partners to assist with the delivery of better health and care for all Londoners. HLP has a range...
Read more »

Contacting the NHS England London premises team (16 Feb 2018)

At our recent finance event for GPs and practice managers, Sian Clapton from NHS England London’s premises team, provided us with contact details for the team. Any issues relating to premises...
Read more »

MP visit - Chuka Umunna meets with Lambeth LMC (16 Feb 2018)

On Friday 29 January 2018 members of Lambeth LMC met Chuka Umunna MP at the Exchange Surgery in his Streatham constituency. The LMC members covered the challenges around recruitment, retention...
Read more »

Influenza and the annual vaccine ordering challenge for practices (16 Feb 2018)

Kenny Gibson, Head of Public Health Commissioning (London) and NHS England London’s lead on flu vaccinations shares his tips for anticipating the cycle of winter illnesses and getting the best...
Read more »

It’s election year at Londonwide LMCs - make your voice heard (16 Feb 2018)

This year every LMC seat is up for election. Any GP working in one of the 27 London boroughs we represent may be nominated for election regardless of their contractual...
Read more »

Discount rates for flu vaccines for winter 2018 through Londonwide LMCs' Buying Group (13 Feb 2018)

Many practices are starting to plan for winter 2018 and are pre-ordering their flu vaccines. Londonwide LMCs' Buying Group, through our buying partner MidMeds, has negotiated a specially discounted rate...
Read more »
Next Page »
« Previous Page