What will GDPR mean in (general) practice?

It comes into full effect on May 25 this year, it will overhaul how all business, including general practices, process and handle data and failure to comply comes with a heavy penalty. Is your practice GDPR-ready? Ian Jones, operations director at the Practice Managers Association (PMA), provides an insight into what the changes mean and some very useful links

“We have an opportunity to set out a new culture of data confidence in the UK,” ICO Commissioner, Elizabeth Denham.

What is GDPR?

The EU General Data Protection Regulation (GDPR) comes into force in May 2018; the scope of the changes under the new regulation means that preparing for the GDPR should now be a very high priority for general practices. GDPR will need to be implemented alongside the new Data Protection Act both of which will come into force on May 25, 2018.

All organisations will need to carry out audits of the employee and customer/patient personal data that they collect and process to ensure that it meets GDPR conditions for consent. New governance and record-keeping requirements mean that organisations will also have to create or amend policies and processes relating to privacy notices, data breach responses and subject access requests.

NHS Guidance and briefing on GDPR and accountability focuses on changes to data protection legislation: why this matters to you.

This covers:

  • data protection, accountability and governance;
  • privacy by design and default;
  • implications of the GDPR for Health and Social Care research;
  • health and social care research: legal basis and safeguards;
  • transparency, consent and subjects’ rights;
  • consent;
  • pseudonymisation;
  • personal data breaches and notification;
  • profiling and risk management;
  • what’s new and what changes.

General Data Protection Regulation (GDPR) guidance

This guidance, adapted from the national GDPR working group and IGA, will help the NHS, social care and partner organisations prepare for GDPR, when it begins in May 2018. The links at the end of this article provide a wealth of information and will keep you up-to-date on developments between now and May. Use this, and circulate the links to all staff within the practice.

Whether you are well through your planning or just starting your journey, take a look at the GDPR preparation guidelines created by the ICO – you can view these here.

In essence, all organisations or businesses that are processors or controllers of personal data will be required to comply with the GDPR. As all healthcare organisations currently fall under the DPA jurisdictions you will also be subject to the GDPR as mandated by the ICO.

Both personal data and sensitive personal data are covered by GDPR, where personal data are broadly defined as ‘a piece of information that can be used to identify an individual – name, address, email, telephone, etc.’ Sensitive personal data are those which ‘provide genetic data, information about religious and political views, sexual orientation and health records’.

You might also like...  Five tips for practices facing NHS property service charge hikes

These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. Where GDPR is different from current data protection laws is that pseudonymised personal data can also fall under the new law if it’s possible that a person could be identified by a pseudonym.

So, what’s different?

In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines’ regime and a clear responsibility for organisations to obtain the consent of the people they collect information about. 

So, if you’re only just hearing of GDPR, here are some of the bigger changes and impacts to be prepared for:  

 Headline impacts 

  • Appointment of a data protection officer is mandatory for all public authorities.
  • Significantly increased penalties are possible for any breach of the regulation – and not just data breaches.
  • A Data Protection Impact Assessment is required for high risk processing.
  • There are legal requirements for security breach notification.
  • Data protection issues must be addressed in all information processes.
  • Removal of charges, in most cases, for providing copies of records to patients or staff who request them.
  • There are specific requirements for transparency and fair processing.
  • There’s a requirement to keep records of data processing activities.
  • Tighter rules where consent is the basis for processing.

It’s not possible to provide all the answers here – and directives are still being worked on within the NHS – but there are some excellent resources being published weekly.

Here are some sites to bookmark for a more thorough insight:

The ICO: Guide to GDPR

The ICO’s 12 steps

NHS Digital: Changes to Data Protection legislation: why this matters to you 

The EU’s official website for the regulation – all you need to know, including a countdown clock for when GDPR will come into force.

NHS GDPR Guidance

NHS Employers: General Data Protection Regulation – will you be ready?

The PMA offers a workshop on GDPR should you be looking for further support. Other workshops can be seen here.

About the PMA
For more information about the support the PMA can offer, please visit our website. Alternatively, contact us via email: [email protected] or call 0330 111 6459.

Don’t forget to follow us on Twitter, or connect with us on LinkedIn!