800 likes | 982 Views
GDPR – General Data Protection Regulation – what you need to know. 12 Steps Towards Compliance. Welcome to the Practice Managers Association
E N D
GDPR – General Data Protection Regulation – what you need to know 12 Steps Towards Compliance
Welcome to the Practice Managers Association The Practice Managers Association (PMA) is a UK-wide membership body that provides insight, training, education and interaction opportunities for those involved in General Practice. Its membership comprises Practice Managers, GPs, Practice Business Managers, – all working in partnership. It seeks to facilitate and promote best practice amongst its members. The PMA offers education and support to those involved in the business management aspects of general practice. It is free to join and, by doing so, you’ll benefit from all we have to offer – and there’s plenty. .
Housekeeping Smokers Fire Safety Timings Breaks /Lunch Toilets
Facilitator Paul Dodd
Organisations obliged to demonstrate that they comply with the new law • Appointment of Data Protection Officer mandatory for all public authorities • Significantly increased penalties possible for any breach of the Regulation – not just data breaches • Data Protection Impact Assessment required for high risk processing • Legal requirement for security breach notification GDPR – What’s New
Data protection issues must be addressed in all information processes • Removal of charges, in most cases, for providing copies of records to patients or staff who request them • Specific requirements for transparency and fair processing • Requirement to keep records of data processing activities • Tighter rules where consent is the basis for processing. GDPR – What’s New
Data Day Hygiene - ICO https://www.youtube.com/watch?v=CdYWoLC7TNI
Education and Awareness • Inform decision makers and key people about GDPR • Communicate impact and identify compliance challenges under GDPR. • Examine organisation’s risk register, if available. • Understand impact implementing GDPR could have on resources. • Use the first part of the GDPR’s two-year lead-in period to raise awareness of pending changes • Acknowledge compliance may be difficult if left until last minute
Education and awareness https://ico.org.uk/for-organisations/resources-and-support/health-sector-resources/
Create the culture for compliance I stopped explaining myself when I realised people only understand from their view and perception
What’s your view? https://www.youtube.com/watch?v=r3WDDVWaW9w
What we agree on Principle - Patients come first Definition – What does coming first mean? Method – What’s the plan – Where is the focus? Details – What do I do?
Accountability and Audit • Show how you comply with data protection principles. • Do you have good policies and procedures in place? • Document personal data held, where it came from and with whom you share it. • Consider doing an information audit on data you store, process and transmit • If data sent to 3rd party is inaccurate, must tell them.
What to audit • What personal data you hold? • Where it came from? • Who you share it with? • The lawful basis for processing it • What format(s) it is in? • Who is responsible for it?
Update Privacy Notices Individuals now have stronger data protection rights. • Review all privacy notices • Plan for any changes to privacy notice in time for GDPR • When collecting data, continue to provide your identity and how you intend to use personal data BUT NOW YOU MUST... explain legal basis for (1) processing data, (2) retention periods and (3) individual’s right to complain when get it wrong.
What do we need to tell people? • your intended purposes for processing the personal data; • the lawful basis for the processing. • This applies whether you collect the personal data directly from the individual or you collect their data from another source.
Understand Individual’s Enhanced Rights Check policies and procedures to ensure cover individual’s enhanced rights under GDPR. • Subject access requests • Correction of inaccuracies • Erasure of information • Prevent direct marketing • Prevent automated decision-making and profiling • Data portability
Update Subject Access Request Procedures Must handle subject access requests (SARs) in 1 month, not 40 days • Cannot charge or refuse SARs unless manifestly unfounded or excessive. • Use new policies / procedures to show why request refused. • Provide information on data retention periods and right to have inaccurate data corrected to person making SAR, • Large organisations should consider logistics of SARs carefully • Give information about SAR policies and procedures online? • Consider conducting cost/benefit analysis
SAR – The cost What can we do? How many do you get now How big Who does what and for how long Physical resources needed
Identify Legal Basis for Data Processing • Assess types of data processing you do, identify legal basis and document it. • People have stronger right to have data deleted when obtained via consent. • Give details of legal basis in privacy notices (see Step 3) and SARs (Step 5) Legal bases broadly same under GDPR as in DPA
Legitimate interests Vs Consent In cases where there is a choice including consent Who does the processing benefit? Would individuals expect this processing to take place? What is your relationship with the individual? Are you in a position of power over them? What is the impact of the processing on the individual? Are they vulnerable? Are some of the individuals concerned likely to object? Are you able to stop the processing at any time on request?
What’s the basis – Where do our records fit? HR Records Medical records Requests for examination and treatment Screening tests
7. Obtaining Consent • Review how you seek, obtain and record consent • Both DPA and GDPR refer to ‘consent’ and ‘explicit consent’ • Difference between two unclear. Both forms are freely given, specific, informed and unambiguous • Consent has to be a positive indication of agreement to process personal data. Not inferred by silence or pre-ticked boxes • Consent must be verifiable. Controllers must be able to demonstrate consent was given. • Set up an effective audit trail to show consent.
8. Processing Children’s Personal Data • Introduce systems to verify individuals’ ages and to gather parental or guardian consent for processing of children’s personal data. • GDPR introduces special protection for children’s personal data, especially under commercial Internet services e.g. social media • Child - anyone under 13 years • Consent must be verifiable • Privacy notice written in language children understand
Data Protection Officers • Designate data protection officer if required; or designate person responsible for data protection compliance • Where does this role sit within corporate governance? • Someone must take responsibility/accountability in all cases. • Consider external data protection advisor • GDPR requires some organisations to designate Data Protection Officer • E.g. public authority or organisations doing regular and systematic monitoring of data subjects on large scale.
Special Categories of Data • Racial or ethnic origin, • Political opinions, • Religious or philosophical beliefs, • Trade union membership, • Genetic data and biometric data for the purpose of uniquely identifying a natural person, • Health • A person’s sex life or sexual orientation
Records of Processing Activities Article 30 of the GDPR requires organisations to maintain a record of the processing activities under their responsibility. The records must contain: – (a) The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer(b) The purposes of the processing(c) A description of the categories of data subjects and categories of personal data(d) The categories of recipients to whom the personal data has been (or will be) disclosed (including to third countries/international organisations)(e) Where applicable, transfers of personal data to a third country or an international organisation, including their identity and documentation of suitable safeguards (if applicable)(f) Where possible, the envisaged time limits for erasure of the different categories of data(g) Where possible, a general description of the technical and organisational security measures
Records of Processing Activities If you have less than 250 employees then you must keep records of any processing activities that: • are not occasional; • could result in a risk to the rights and freedoms of individuals; or • involve the processing of special categories of data or criminal conviction and offence data. You may be required to make these records available to the ICO on request
Records of Processing Activities If you have over 250 employees, you must record the following information: • name and details of your business (and where applicable, of other controllers, • your representative and data protection officer); • purposes of the processing; • description of the categories of individuals and categories of personal data; • categories of recipients of personal data; • where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place; • retention schedules; and • a general description of technical and organisational security measures. You may be required to make these records available to the ICO on request