Changes in Data Protection Legislation why this matters to you

26 Nov 2017 By Views : 1562

5.0 (1)

Changes in Data Protection Legislation

The EU General Data Protection Regulation which was approved in 2016, comes into force in May 2018 and will not be affected by Brexit. It will replace the UK Data Protection Act 1998. At the time of writing, NHS England is chairing the national GDPR working group, which is tasked with formulating national level sector-specific policy and guidance, to help healthcare organisations prepare for and become compliant with the new law.
The first set of guidance documents is due for publication this month (November 2017) and will be available on the Information Governance Alliance website.
In the meantime, here is what you need to know:
  • You will be obligated to demonstrate compliance with the new data laws.
  • There will be significant penalties for breaches; up to 10,000,000 Euros for security breaches and up to 20,000,000 Euros for breaches of principles, data subjects’ rights and international transfer restrictions.
  • You will need to report security breaches, by law.
  • You will no longer be able to charge for copies of records.
  • You will have only 30 days to comply with a Subject Access Request, not 40.
  • You will be required to keep records of data processing activities.
  • Your organization will need to appoint a Data Protection Officer (mandatory).
  • You will need to conduct a Data Protection Impact Assessment for high risk processing.
  • You must address Data Protection issues in all information processes.
  • You must abide by specific requirements for transparency and fair processing.
  • You will have to abide by tighter rules where consent is the basis for processing.
Whilst the currently available information available is scant, the coming months will see a refinement of the policy and guidance applicable within the healthcare sector. If you are compliant on the Information Governance toolkit, then this will form a strong basis for the changes. The main points to bear in mind are that: compliance will need to be demonstrated, costs for Subject Access Requests (SARs) will be scrapped, a Data Protection Officer will need to be appointed and fines for breaches will be enforced (up to 4% of turnover).
On a practical level, The Information Commissioner’s Office recommends the following 12 steps to take now:
  1. AWARENESS: Make sure that key decision makers and people in your organisation are aware that the law is changing, so you can allocate resources to ensuring compliance. Start by looking at your risk registers to identify potential areas for concern.
  2. INFORMATION YOU HOLD: show compliance with data protection principles by ensuring you have effective policies and procedures in place. Review your existing ones and document what personal data you hold, its origin and who it may be shared with.
  3. COMMUNICATING PRIVACY INFORMATION: review your current privacy notices to include the lawful basis for processing and retaining data, the retention periods and the right of the subject to complain to ICO. The ICO’s Privacy notices code of practice provides further information.
  4. INDIVIDUALS’ RIGHTS: ensure that your procedures cover all the enhanced subjects’ rights, including data portability which is a new requirement.
  5. SUBJECT ACCESS REQUESTS: update of policies and procedures will be needed for SARs, reflecting the new timescales and scrappage of the administration fees. Consider the likely impact this will have on the organisation and whether more resources will be needed.    
  6. LAWFUL BASIS FOR PROCESSING PERSONAL DATA: update your privacy notice to document and explain the lawful basis for processing data. In the new legislation, there are greater rights for subjects to request deletion.
  7. CONSENT: review your current procedures for obtaining, recording and maintaining consent and review your current consents. This detailed guidance tells you more about becoming compliant.
  8. CHILDREN: verifying ages and obtaining parental/guardian consent for data processing activity will require new processes to be implemented by your organisation. These impact on the provision of online services.
  9. DATA BREACHES: a system needs to be in place to detect, report and investigate personal data breaches. You may be liable to a fine for failure to report a breach, in addition to being fined for the breach itself.
  10. DATA PROTECTION DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS: familiarise yourself with the ICO guidance on PIAs and Article 29 Working Party, to ascertain what is applicable to your organisation and how to implement it.
  11. DATA PROTECTION OFFICERS: Processing health records makes it mandatory for an organisation to appoint a Data Protection Officer. Consider how you will go about this and their role in the overall governance structure.
  12. INTERNATIONAL: if you have operations abroad (in more than one EU state) then refer to Article 29 for further guidance.


DISCLAIMER: The information on this blog is for News Reporting and Educational Purposes Only.