The general data protection regulation (GDPR) is in force. While most general practices will have data processing, management and storage well managed it must be remembered that it’s an ongoing process. The Practice Managers Association cautions practices against thinking GDPR is all done and dusted and considers the role of the data protection officer and who should fill this position
What is a Data Protection Officer and why is the role relevant to primary care?
A data protection officer (DPO) is a leadership role required by the general data protection regulation (GDPR) to oversee data protection strategy and implementation to ensure your practice complies with GDPR requirement.
As you know, the EU GDPR came into force May 25. The scope of the changes under the new regulation meant that preparing for the GDPR should have been a high priority for you in general practice.
However, it doesn’t end there as maintenance and monitoring to ensure compliance is key.
Article 37 of the GDPR mandates the appointment of a DPO for all organisations whose core activities involve “regular and systematic monitoring of data subjects on a large scale” or where there is large-scale processing of “special categories of personal data”. The DPO is tasked with:
- Monitoring compliance with the GDPR and data privacy risks in the practice’s activities.
- Ensuring staff have awareness of data processing requirements under the GDPR and other applicable European data privacy laws.
- Training staff on data processing requirements • Conducting data protection impact assessments.
- Maintaining records of processing.
- Conducting data security and processing audits.
- Serving as a point of contact for data subjects and supervisory authorities.
How does this translate to primary care?
Practices will need to carry out audits of the patient data and employee personal data that is collected and processed to ensure that it meets GDPR conditions for patient and employee consent. New governance and record-keeping requirements mean that you will also have to create or amend policies and processes on privacy notices, data breach responses and subject access requests.
There is a much greater emphasis on compliance following a widely-held belief that business up to now has not taken data privacy seriously enough. Possible penalties are considerably harsher and importantly now include small and medium businesses within the Public Sector.
But, remember the new GDPR compliance requirements are not just about waving fines – they are about realising that the data, upon which your business or practice is built, is managed in an appropriate, respectful, and lawful manner – and that the right levels of accountability and governance are applied by the practice.
There has never been a more important time to ensure that best practice is in place to secure patient and staff data, protect reputation and ensure compliance. A planned and structured approach is required to fully understand the necessary changes for both systems and user behaviour. And the role of the Data Protection Officer is pivotal to the GDPR compliance of the practice.
Where do you find a DPO?
As long as the professional duties of one of your staff are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint them as your DPO, rather than you having to create a new post. Of course, they may require some training for safeguarding purposes, confirming they have the skills and knowledge to fulfil the task to the required standards.