General Data Protection Regulation No doubt you will have heard much discussion about the General Data Protection Regulation (“GDPR”) by now. It will come into immediate force in Irish law on 25 May 2018 and this has been well sign-posted and flagged for some time.
No doubt you will have heard much discussion about the General Data Protection Regulation (“GDPR”) by now. It will come into immediate force in Irish law on 25 May 2018 and this has been well sign-posted and flagged for some time.
The GDPR imposes greater obligations on organisations which collect and process personal data and this includes GP practices of all sizes.
The GDPR has serious implications for you and your practice and you need to be fully up to speed with it. This article will give you an overview of what the GDRP is about and what it means for your practice. It will also set out a detailed road-map for your preparations, to get you on the way to compliance.
Preparing for the GDPR must be a key priority for your practice over the coming months. This is an opportunity for your practice to streamline procedures, with potential time and cost efficiencies. GDPR compliance will help you to safeguard personal data, build trust with your patients and staff and to protect your practice against complaints.
The GDPR will replace the existing EU Data Protection framework and will standardise Data Protection rights for European citizens. The GDPR keeps and enhances many of the existing Data Protection principles. It puts great emphasis on transparency and security.
The GDPR will give individuals additional and stronger Data Protection rights. For example, it will be easier for individuals to bring private claims for compensation against data controllers for breach of data privacy.
The GDPR gives Data Protection Authorities the power to sanction non-compliance. Sanctions can include fines of up to €20,000,000 or 4% of total global annual turnover.
A failure to report a breach could result in a sanction, in addition to a sanction for the actual breach. Financial sanctions are a serious consideration but the associated reputational damage for your practice could also be very damaging.
You should inform your staff as soon as possible that the law is changing in relation to Data Protection and that it will mean changes in how your practice operates.
Someone in your practice must be responsible for Data Protection compliance, a designated Data Protection Officer (“DPO”). Many GP practices already have a designated DPO. Your practice DPO will be a key player in driving GDPR compliance within your practice. He/she will need the right knowledge, authority and support and may benefit from upskilling or specific training.
Preparing for the GPDR will be time and resource intensive. Your practice will need time to introduce changes required in a controlled manner. You should commence your preparations as soon as possible.
It is important to keep a paper trail of all steps taken towards GDPR compliance. We recommend starting with an education session for your staff on the GDPR and what it entails, followed by a paper-based exercise and meetings / workshops with your staff to work through the road-map set out below.
The Office of the Data Protection Commissioner plans to issue a series of documents in advance of 25 May 2018. The first document, entitled “The GDPR and You” is now available at www.dataprotection.ie. More information and very helpful infographics are available at www.gdprcoalition.ie.
It has been suggested that the main steps you need to take can be usefully grouped under the broad headings of: encryption and segregation of data, education, incident response planning and cyber insurance. The following suggestions will help you tackle each of these areas.
Your patients may want to exercise their Data Protection rights, which include: access, correction of inaccuracies, erasure of information, objections to direct marketing, restriction of processing and data portability.
Data subjects need to be fully informed about how you collect and use their data.
Future projects will require a Data Protection Impact Assessment (“DPIA”). This means looking at any potential Data Protection issues associated with an intended project and finding a way to mitigate them. A GP practice might, for example, have to complete a DPIA as part of introducing new practice software.
Remember that GDPR compliance is not a once-off project. Getting ready for its introduction will involve an initial wave of preparatory work but GPDR compliance must remain an ongoing priority for your practice thereafter. A full suite of sample policies is available at medisec.ie. Please note that any sample policy will require careful review and will need to be tailored to the particular workings of your practice.
Please also note that this article is intended to assist you with your preparations for GDPR compliance and is not intended to be an exhaustive summary of all steps required. If you are a Member and need further advice or have a specific query, please contact Medisec.
To access Medisec’s GDPR related sample policies, please click here.