Comment

Are you ready for GDPR?

Danny Mortimer, chief executive of NHS Employers, outlines the major changes that NHS organisations must prepare for ahead of the General Data Protection Regulation (GDPR).

The most important change to data privacy for 20 years is being introduced this year, and every NHS organisation must make sure they’re fully prepared.

Changes under the EU’s GDPR and Data Protection Act 2018 will come into effect from 25 May 2018 – and the government has confirmed the UK will continue to comply after Brexit.

The new laws mean governance, HR, legal and IT teams must work closely together to make sure their organisation complies.

To help NHS organisations, NHS Employers has published the ‘Changes to data protection requirements under GDPR’ factsheet, which has been developed in conjunction with healthcare legal specialists. The factsheet summarises the key changes and new data protection principles, provides a glossary of terms, and outlines important steps NHS organisations can take to prepare. The main changes include:

• Appointing a data protection officer: Responsibilities will include informing and advising the organisation and its employees of their data protection obligations, monitoring the organisation’s compliance and internal data protection policies, advising on the necessity of data protection impact assessments, and being the point of contact for the data protection authorities and individuals;
• An explicit accountability: Organisations will be required to show they comply with the revised data protection principles by implementing appropriate and proportionate technical and organisational measures, maintaining relevant documentation on processing activities, implementing measures that meet the principles of data protection, and undertaking data protection impact assessments where appropriate;
• Ensuring the legal grounds for processing personal data is understood: Employers must be completely clear about their grounds for collecting, using and retaining personal data. Organisations should spend time now establishing what personal data they collect, what purposes it is put to, and the legal basis for processing the information. Multiple legitimising conditions may apply to the same personal data, depending on the circumstances;
• Privacy notices: Currently, under the preexisting data protection law, employers are required to make available to employees and job applicants a privacy notice setting out certain information. In future, employers will need to ensure they provide more detailed information within their privacy notices. Employers are advised to review all documents which require a self-declaration from job applicants and employees to make sure the new requirements and the rights of the individuals are made expressively clear;
• Subject access requests: Employers will no longer be able to insist data can only be provided for a fee. Going forward, the data must be passed to the employee or individual without any charge, in the first instance;
• There will now be a mandatory breach reporting requirement: Where there has been a high-risk data breach, the employer will need to notify and provide information within 72 hours. Organisations can be subject to significant penalties where they are in breach of the new requirements, as well as face legal claims from individuals or employees whose data protection rights have been infringed.

There is now just four months for each organisation to prepare and put all the necessary processes in place. They will have to ensure all the changes are widely communicated and understood by all staff and that any necessary training is undertaken.

GDPR does, of course, have much wider implications for governance arrangements in the NHS, and health organisations are recommended to read the NHS Employers factsheet in conjunction with more detailed guidance produced by the Information Commissioner’s Office.

Top image © Tanaonte

FOR MORE INFORMATION
W: www.tinyurl.com/Changes-to-data-protection
W: www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr