The EU GDPR becomes active on the 25th of May 2018 and the press is full of stories that may create panic among practice managers. Rather than dreading the readiness process there is plenty of help out there that can aid your planning and enable you to put secure systems in place.
Keeping data safe
The task of keeping the sensitive information you handle safe is nothing new; what is new is that the EU GDPR sets a requirement that you must be able to describe how keeping data safe is intended before you go about doing it. It must then be possible to show on-going compliance with your own policies, procedures and guidelines.
Implementation, first and foremost, requires the correct administrative understanding of the tasks involved. We advise that practice managers split the compliance tasks into the following seven phases:
Phase one is the identification phase. What are your current data protection processes? Where are the data, who has access to the data and in what processes are the data currently used?
Phase two is gap analysis. The results of the identification phase are compared with the requirements set out in the EU GDPR so that it is clear what gaps the organisation has with regard to complying with the new regulation.
Phase three is the Privacy Impact Assessment (PIA). A PIA is a basic assessment of the registered party’s (patient’s) level of protection. The purpose of a PIA is that a worst-case scenario for the registered party is considered, anticipated and, thereby, avoided.
Phase four is the implementation phase. Launch your data protection system.
Phase five is contingency planning for a leak. In cases where a leak of sensitive information occurs, the EU GDPR contains a new requirement that private and public enterprises must inform the relevant authorities. The following information will need to be disclosed:
- What types of data were leaked?
- How many registered parties does the leak involve?
- What are the consequences to those registered parties?
- What has been done to ensure that this does not happen again?
- The methods of informing the data leakage – public announcement, personal letter or emails.
Phase six is ongoing management, monitoring and follow-up. It’s best to use an annual cycle to distribute the tasks of EU GDPR compliance throughout the year so as not to put staff under pressure at one particular time.
Phase seven is awareness. Ensure that all your staff are familiar with their responsibilities; to some this will be new and time needs to be taken for education and management.
Overall, seek help to get your systems in place early to avoid any staff pressures in what is already a busy environment.