What is the EU GDPR?
The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018 and all organisations are required to be compliant with GDPR by this date. The new regulation supersedes the implementations of the EU Data Protection Directive of 1995, which is the basis for the UK Data Protection Act 1998. The UK government’s new data protection legislation is expected to implement a large proportion of the GDPR and was published yesterday September 14 2017.
Why did the EU change its data protection regulations?
The previous data protection regulations were considered outdated for today’s increasingly digital society. The new legislation champions greater rights to data subjects, while streamlining data protection laws across the EU.
What about Brexit?
The new Data Protection Bill is based on the GDPR thus the majority of the legislation will remain the same. The Information Commissioner will continue to enforce Data Protection in the UK, and has confirmed that the GDPR will apply.
What is different about the GDPR?
- Individuals and organisations who are either ‘controllers’ or ‘processors’ of personal data are covered by the GDPR. A ‘controller’ is in individual or entity that determines the purpose and manner of personal data use. A ‘processor’ is an individual or group that ‘processes’ the data on the controller’s behalf (obtaining, recording, altering or storing personal data)
- Companies governed by GDPR will be more accountable for handling data
- ‘Personal data’ will have a more broad definition, therefore more data will be regulated than previously, including an individual’s genetic, mental, economic, social, cultural identity.
- Certain companies that process large scale or special personal data will have to employ a data protection officer (DPO)
- The DPO must have sufficient knowledge in order to understand and meet the standards set by the bill
- Mandatory Data Protection Impact Assessments (DPIA) have been introduced for high-risk data processing, which build on existing good practice Privacy Impact Assessments (PIA) as previously set out by the ICO as part of the Data Protection Act 1998
- Data breach notifications will need to be made within 72 hours to the ICO including financial loss, confidentiality breaches and reputation damage
- Data processors will also have legal responsibility and therefore may be held accountable for data breaches
- The rules for obtaining consent have changed. A ‘positive opt in’ policy will be employed; explicit consent must be obtained to process data, by explaining in a clear manner that consent is being given for data to be used
- Consent will be required for processing children’s data (under the age of 16)
- There are restrictions on international data transfers
- Hefty penalties have been introduced; organisations found in breach of the Regulation may be fined up to 4% of annual turnover or a maximum of €20 million – whichever is greater
- There are processes in place for deletion of data; data subjects have a ‘right to be forgotten’
- Individuals can now request information free of charge, whereas previously a Subject Access Requests would permit companies to charge £10 for data to be provided.
- Time restrictions are in place for providing individuals with personal data- one month from the date of request
Things to consider in your practice- GDPR FAQs
Dental practices will hold personal data and ‘special’ – health – data
Employers and practice owners should register as controllers. Self employed associates should also register individually as controllers. Staff members who are employed or DFTs may be covered by their employer’s registration
Appointing a data protection officer
As dental practices process health data, this is considered ‘special’ data according to GDPR, therefore you will be required to appoint a DPO. Consider who you would appoint within your practice to lead data protection compliance. The DPO has a series of responsibilities which are directly set by the ICO, therefore this role will require some time from your staff members. The individual you choose is likely to require additional training to familiarise themselves with the legislation in order to facilitate GDPR changes by 25 May 2018. Some organisations consider outsourcing the role to an external consultancy to ensure compliance is met and standards are trained.
Determine what sort of data you hold and how it is stored
If you use online backups for your data, such as a Cloud server- check its location. Data should be held within the EU in accordance with the legislation. You may need to organise an information audit to determine the type of data you process.
What about Invisalign cases? This requires transfer of sensitive data to a non EU country.
A risk assessment must be carried out for all international data transfers. Although the US has HIPAA (data protection for healthcare organisations), this is not as stringent as the GDPR. However, there is discussion of a US/EU safe-harbour.
Interestingly, Align Techonology Inc (Invisalign) was the first company to successfully close a dual application for BCR (binding corporate rules) for both processors and controllers, which ensured data protection compliance in global information transfer under previous data protection directives. It is likely that Align will continue to uphold its commitment to data protection compliance as the GDPR unfolds.
Deletion of data- will we be required to delete dental records if a patient requests?
As dental records fall under ‘special’ data, these would not undergo deletion
How does ‘positive opt-in’ affect us?
This determines how a patient wishes to be contacted by the practice. While previously an individual may be contacted via any means and would have to notify the organisation if they preferred to opt out of communication, they would now have to opt in. This can be relevant with your practice marketing; you will now need to gain consent for marketing emails, text messages and post. We suggest having a tick box on the medical history form confirming how patients would prefer to be contacted, and explicitly requesting their consent to do so.
The Information Commissioner’s Office (ICO) recommends that businesses commence their preparation. More changes and guidance will be released by the ICO over the coming months.
HOW CAN EVOLVE HELP?
As further developments in GDPR legislation and how it will be implemented in health-care unfold, we can continue to keep you informed.
We have formulated an action plan which allows you to determine steps you must take for your practice to meet the standards. This will incorporate the required PIA, so that your assessment is in line with the Regulation.
We will train your chosen DPO to ensure that they meet the required standards, understand the GDPR and how to begin implementing it into your practice.
Data Protection Assessments
Our Risk Assessment services are all in-House. We visit your practice and conduct a thorough Data Protection Risk Assessment. A report is generated with an action plan for you to follow and implement, that is specific to your practice.
Our consulting services are always bespoke, and data protection is no exception. We can formulate a tailor-made package for you in which we determine via Risk Assessment what steps are required for your practice to meet the Regulation, provide training for your DPO, and manage the required action plan. GDPR is taken care of by us.[gravityform id=”4″ title=”true” description=”true”]