NHS trusts spend over £1m on General Data Protection Regulation compliance

Research reveals how much trusts are spending preparing for new regulations

NHS trusts have spent over £1m preparing for the incoming EU General Data Protection Regulation (GDPR), according to research from the Parliament Street think tank and MHR Analytics.

The findings are contained in a report entitled Getting the NHS Ready for the GDPR , which was published this week and reveals that 46 trusts have spent £1,076,549 on preparations for the new rules, which come into force on 25 May this year.

This new legislation will increase pressure on hospitals to improve standards of data processing and introduce more-stringent policies for managing information securely

It contains insights and analysis into how NHS trusts are preparing to comply with the legislation, including spending on software, staff training, secure email systems for patient records, and specialist GDPR consultancy.

Topping the list for biggest spender was Luton and Dunstable Hospital Foundation Trust, which set aside £111,200 for GDPR implementation, targeted at staff support and training.

At the bottom of the list was Royal Derby Hospital, which stated it had only spent £500.

Goodmayes Hospital in Ilford also spent £500, with an additional £70 a month on a secure email system for sending patient records.

Other big spenders included Lincolnshire Partnership NHS Foundation Trust, which spent £106,915 on staffing and training, including £1,755 on specialist training.

And South Central Ambulance Service NHS Trust set aside £95,000 for GDPR; while St George’s University Hospitals NHS Foundation Trust spent the same amount on ‘research, analysis and resourcing’.

Nick Felton, senior vice president of MHR Analytics, said of the results: “The incoming GDPR poses significant challenges to health trusts, which are tasked with managing highly-confidential patient data and critical medical documents.

Key to achieving this is for trusts to gain full control of all data and improving its quality to make better decisions for the long term

“This new legislation will increase pressure on hospitals to improve standards of data processing and introduce more-stringent policies for managing information securely.

“It will also require trusts to develop blueprints for notification of privacy and data breaches.”

He added: “With NHS resources already under strain, it is important that the health service moves quickly to meet the GDPR compliance deadline, particularly when the consequences of failing to do so include significant fines.

“Key to achieving this is for trusts to gain full control of all data and improving its quality to make better decisions for the long term.”

Organisations must stand accountable, address these issues, and move forward quickly, perhaps faster than they may be accustomed to. Today’s technology and threats demand nothing less

And Matt Lock, director of sales engineers at Varonis, said: “GDPR aside, the NHS will remain a high-value target for attackers due to the highly-sensitive nature and the number of the patient healthcare records it holds.

"It must quickly get its house in order – not only to meet the GDPR, but also to guard against the next ransomware attack.

"The challenges are real. Like many large healthcare systems, the NHS must deal with legacy infrastructure that was not designed to handle the volume of data and operating systems in use today. It has got to address and replace outdated and unsupported systems as a first step, and this costs money.

"Spending £1m seems like a large investment, but after this funding is distributed across hundreds of facilities throughout the UK, the amount is likely to be far than adequate, given the challenges facing the NHS.

"Organisations must stand accountable, address these issues, and move forward quickly, perhaps faster than they may be accustomed to. Today’s technology and threats demand nothing less.”

Companies