This last bank holiday weekend marked the first anniversary of the European Union's General Data Protection Regulation (GDPR) which came into force on the 25th May 2018.
Back then, I remember being in Practice Manager forums and seeing everyone so hyped up about the forthcoming GDPR. There was a huge concern about the number of complaints that the new legislation would generate and the amount of workload required to be GDPR compliant and in fact, there have been over 200,000 complaints sent to authorities and 65,000 data breach notifications since May 2018.
What about the much feared fines (that supposedly would ruin businesses and damage reputations alike)?! Well, regulators have handed out GDPR fines totalling ￡49.4m despite the majority of this being a single ￡43.6 penalty handed to Google back in January.
This might not seem much but GDPR's scope covers any company worldwide handling the data of European citizens and with many investigations still ongoing, it is expected that many more fines will be handed out and this figure will naturally rise. GDPR has not only impacted the UK or Europe in general as it is expected that other governments around the World will soon adopt similar rules to the European Union's GDPR.
But what was the point of GDPR? What were its benefits?
To start with, it has definitely raised citizens awareness of not only how much data they produce and share but also about what businesses might be doing with all that data. People are certainly more aware of their consumer rights and data sharing options as revealed by a report released last week by the Institute of Customer Service in which 64% of responders stated that they cannot name one organisation that they trust to handle their data and 25% of those responders further said that they won't share any personal information with organisations. The matter of fact is that there is still much to do to reassure the wider public that their data is safe or that the legislation is effective in preventing abuse at all.
And whilst the first year of GDPR was more focused on ensuring readiness and baseline compliance, it is expected that the second year will go further and organisations will need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. The DPO's (Data Protection Officers) will surely play a central role to effective accountability and it is crucial that whoever is given that role is also well- supported and resourced.
What about general practice? How can data controllers ensure that they are GDPR compliant when facilitating access to third parties to patient data?
Contracts between controllers and processors ensure they both understand their obligations, responsibilities and liabilities. Contracts also help them comply with the GDPR, and assist controllers in demonstrating to individuals and regulators their compliance as required by the accountability principle.
What needs to be included in the contract? Contracts must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the controller's obligations and rights.
Contracts must also include specific terms or clauses regarding:
- processing only on the controller's documented instructions;
- the duty of confidence;
- appropriate security measures;
- using sub-processors;
- data subjects' rights;
- assisting the controller;
- end-of-contract provisions;
- audits and inspections.
What responsibilities and liabilities do controllers have when using a processor?
Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects' rights. Controllers are primarily responsible for overall compliance with the GDPR, and for demonstrating that compliance. If this isn't achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
What responsibilities and liabilities do processors have in their own right?
In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR. If a processor fails to meet its obligations, or acts outside or against the controller's instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
If you are still unsure on your obligations under the current GDPR legislation, the ICO (which stands for Information Commissioning Office and is the UK's supervising and independent authority for GDPR matters) website has a very useful self-assessment checklist which you might want to consider using to find out if your organisation is GDPR compliant. I strongly recommend you taking this exercise and therefore, I'll share the link below:
Did you know...
Tree View Designs websites are unique, built by the very foundation of the NHS to provide an exceptional experience to both practice staff and their patients and they are also fully GDPR compliant. To find out more about TVD website features follow the link below...
Jorge Goncalves (NHS Practice Manager)