EU General Data Protection Regulation (GDPR) – An Introduction
As all the marketing emails, you have been receiving indicate, you need to prepare for the EU General Data Protection Regulation. The “GDPR” will be in force from 25 May 2018 – that is in about eight months from now! Whatever format emerges for Brexit, it is not expected to have any impact on the requirements of this new legislation which is anticipated to apply for the foreseeable future.
GDPR will replace the 1998 Data Protection Act. It brings important changes to the law governing the management and use of service user data. Your service will need to take sufficient time to understand, plan, prepare for and implement the necessary operational changes. Customers of QCS will have access to policies and procedures that will support these changes.
These imminent changes to data protection legislation are significant and cannot be ignored. Nor, on a practical level, should they be left until the last moment if you want to stay in control of your service compliance.
The Major Impacts of GDPR
So, what are the major impacts overall and day-to-day for your service recognising that some will apply on a more regular basis than others?
- All organisations will be obliged to demonstrate that they comply with the new law.
- There will be tighter rules where consent is the basis for processing (data).
- There will be significantly increased penalties possible for any breach of the Regulation – not just data breaches.
- Data protection issues must be addressed in all information processes.
- There will be a legal requirement for security breach notification.
- There will be specific requirements for transparency and fair processing.
- A requirement for the removal of charges - in most cases - for providing copies of records to service users or staff who request them.
- A Data Protection Impact Assessment will be required for high risk (data) processing.
- There will be a requirement to keep records of data processing activities.
- The appointment of a Data Protection Officer will be mandatory for all public authorities. *
*https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/ See section: Further reading from the Article 29 Working Party which contains helpful guidance and FAQs
Information Governance Alliance
Information now available via NHS Digital provides details of the subject by subject guidance due to be published by the Information Governance Alliance (“IGA”). The first is already available and is a good introductory read which will help services begin to prepare strategically in the first instance: Changes to Data Protection legislation: why this matters to you (CEO briefing on GDPR and Accountability for Data Protection) https://digital.nhs.uk/article/1414/General-Data-Protection-Regulation-guidance
What Will the GDPR Mean for Your Organisation?
This will be followed by focused blocks of information that will inform services about how you will be affected. These are expected to be:
- Data protection accountability and governance
- Privacy by design and default
- Implications of the GDPR for Health and Social Care Research
- Health and Social Care Research: legal basis and safeguards
- Transparency, consent and subjects rights
- Personal data breaches and notification
- Profiling and risk stratification
- GDPR overview
- What's new and what changes
There is also a fairly recent newsletter (March 2017 IGA newsletter) and a webinar (GDPR webinar) for services to read and watch to provide early support in the face of such a significant piece of legislation.
The earlier you begin to understand these changes will mean for your service and plan for them, the easier they will be to implement on time.
*All information is correct at the time of publishing