What are your obligations with The General Data Protection Regulation (GDPR) – are you going to be ready?
The new data protection compliancy involves making sure you and your team/associates are familiar with the GDPR, enabling you and your company to be fully compliant with the different processes, systems and policies you are required to have in place by 25 May 2018.
Certain types of personal data must be treated with particular care due to the sensitive nature of that personal data. This is of course common sense. ‘Health’ comes under what the ICO (Information Commissioner’s Office) calls the ‘special category’, making it a mandatory obligation to comply with the GDPR and more especially if you work in the health professional field.
As with any new legislation which generates mandatory requirements with which to comply, the initial response is to panic and stress over yet another set of red tape regulations to bow down to, more paperwork and things you have to remember. Just too much, especially with it being seen as a ‘dry subject’ – not the easiest of topics to get excited about.
We want to put a stop to those scare-mongering tactics. Data protection is not that frightening! Good old fashioned common sense and a balanced approach are what is needed. The majority of professionals in the field of health have experienced the wrath of CPD (Continuous Professional Development), that fear of being randomly picked every two years by selection to be brutally grilled and audited. The HCPC, the regulators of health, psychological and social work professionals are not monsters, in the same way the ICO is not there to hold you at gunpoint.
As long as you take it seriously and have a solid plan of action in place with areas like:
- Your team is properly trained with an understanding about breaches
- A chain of command – who are the processors, who is the data controller and who is the data protection officer
- A good understanding about ‘consent’ and ‘the right to be forgotten’
- How all your systems are data mapped – what the information flow is
- The fundamental policies in place
- Privacy impact assessments (posh name for risk assessments) carried out
- Information notices in place
- Audit of your internal and external data processing activities
- A data protection breach register for recording breaches.
There are many more areas that need to be addressed, here are some:
- Technology used for processing data
- Subject access requests
- Privacy by design
- Updating your terms of business and associate contracts
- Appointment of Data Protection Officer (if required)
- Breaches and fines.
The right for individuals to be forgotten is going to be the biggest theme that runs throughout this legislation. Transparency, making your organisation available to be contacted on all your materials, website, email signatures, newsletters is absolutely paramount.
Any person new to this legislation will likely feel daunted by its implications and wish to stick their head in the sand and hope it won’t affect them. But taking a positive approach, looking at what needs to be put in place, who is to be responsible for compliancy as part of your organisation, what are the likely potential breaches within your systems and processes are just a few steps towards making sure you’re ready and super organised.
There is definitely no need to panic, there is plenty of time to schedule in all the different tasks required to be compliant in readiness for May 2018. It’s all about staying calm, being organised and thorough. We all do battle on a day-to-day basis running our own businesses, fire-fighting whatever problems get thrown at us. Further hassle in dealing with more mandatory legislation can feel exhausting, eating further into your precious time and brain capacity. The best way is to seek advice and assistance, find a way of tackling this added mandatory obligation, making sure you properly understand what you must do.