What’s changed?
Tougher data protection laws come into force from 25th May. The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 and introduces more obligations for organisations that process personal information.
Here are five key changes to be aware of:
1. Increased rights for data subjects
The GDPR sets out 8 specific rights for individuals whose data you hold. These include the right to be informed how their data will be used; the right to object to their data being processed; the right to request access to the data held about them; and the right to have incorrect data corrected.
2. Tighter controls on data processing
You must have a legal basis for processing someone’s data. This means you need to satisfy one of six conditions, such as consent or performance of a contract. Note that healthcare data is classed as special category data under the GDPR which means at least one further separate condition must also be met. These include where the processing is necessary for the purposes of medical diagnosis or healthcare and for the defence of legal claims.
3. Transparency for data subjects
The GDPR emphasises the importance of transparency and sets out the information that you need to provide to data subjects. This will usually be in the form of a Privacy Policy which should always be concise, transparent, intelligible and easily accessible. It needs to include information such as the purpose of your data processing and the legal basis for it; any recipient of data; the existence of the data subject rights and retention periods.
4. Data protection by design
You must show that you consider and integrate data protection into all your processing activities on an ongoing basis. Whenever you begin a new project, such as a new service for patients, ensure you assess and identify data protection risks and then incorporate security measures which address these from the outset.
5. Tougher enforcement
Organisations that fail to meet their obligations can be fined up to a maximum £17 million or 4% of worldwide annual turnover (the maximum was £500,000 under the Data Protection Act). The Information Commissioner’s Office (ICO) says fines will always be a last resort but warns it has a range of other sanctions, such as warnings and corrective orders. The ICO lists all the actions it takes on its website which could have serious consequences for your reputation.
This is one of a series of blogs from Healthcode in the run-up to the GDPR. Keep up to date with information about the new data protection law and a range of resources to help you comply, visit the Healthcode Blog. You can also find general information on the ICO website at www.ico.org.uk