General Data Protection Regulation (GDPR): How healthcare organisations should prepare for compliance

Emma Roe, head of commercial at Shulmans, looks at the impact of the new General Data Protection Regulation on the healthcare industry

A monumental shift is on the way in the rules governing the use of personal information, which will affect how all healthcare providers handle individuals’ data, whether relating to patients, staff, contractors, carers or other stakeholders.

The General Data Protection Regulation (GDPR) is a new law relating to data protection which is due to take effect on 25 May 2018.

As Brexit is unlikely to take effect before March 2019; all UK organisations, including healthcare institutions, will need to comply with GDPR as of 25 May 2018 or risk being in breach

This may sound a long way off, but significant steps are needed to ensure your healthcare business is fully compliant.

Many question whether the need for compliance with GDPR is still relevant, given the outcome of the referendum vote. However, as Brexit is unlikely to take effect before March 2019; all UK organisations, including healthcare institutions, will need to comply with GDPR as of 25 May 2018 or risk being in breach.

Even after Brexit takes effect, the UK will need to adopt its own legislation in place of GDPR, which will have to be broadly similar in effect.

The Information Commissioner, who leads the regulatory body governing data protection compliance in the UK, has made it very clear that this will be the approach.

So steps taken now to comply with GDPR will not be a wasted effort, but instead a way of futureproofing your compliance.

Providers of healthcare services such as independent nursing homes, hospice care providers, domiciliary care service providers, opticians, dental practices and similar clearly deal with a large volume of sensitive personal data relating to their patients, carers and families, including potentially-vulnerable individuals and those not able to give consent on their own behalf.

Emma Roe, head of commercial at Shulmans

The healthcare sector has always been a maze of complex data usage. Combine this with the high levels of regulatory scrutiny and a significant reputational risk of getting compliance wrong and GDPR should be on every organisation’s radar already.

Healthcare organisations will be processing various categories of data, mostly relating to patients, carers, family and staff, in order to carry out basic daily operations.

For the organisations, GDPR will require the designation of a Data Protection Officer (DPO).

While this role may already exist in some form, GDPR imposes much-stricter qualification and experience requirements, meaning that simply ‘wearing this hat’ alongside an individual’s day job is unlikely to be sufficient.

Steps taken now to comply with GDPR will not be a wasted effort, but instead a way of futureproofing your compliance

Recruiting or training a suitable individual should be an immediate concern, as, in reality, there are not enough sufficiently qualified specialists in the market to meet demand.

New requirements to minimise data and incorporate aspects of data protection into the planning of any new project or processing activity mean that even those organisations which are currently data protection compliant will still have some adjustments to make.

Starting to plan for such eventualities now in relation to any new project will certainly have its benefits for protecting any significant implementation plans from being adjusted as the law changes next year.

Another factor for consideration is that individuals are becoming more aware of their legal rights in respect of data protection, with the scope of these rights increasing under GDPR.

Subject access requests are increasingly common, with individuals wanting to know what data is held on file about them and their family. All organisations will need to have a comprehensive understanding not only of the data they hold, but also where it is stored across the organisation in order to be able to comply with such requests in the newly-reduced deadline of 30 days once GDPR is in force.

Failure to tackle GDPR in time for it to take full effect could lead to significant consequences for any organisation.

The Information Commissioner’s Office (ICO) will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. This can be up to €20m, a steep increase of almost 40 times the current maximum fine limit.

Any step taken by the ICO can, and will, be published. This puts any breach or investigation in the public domain and this reputational risk could have consequences far more damaging than any monetary fine

Perhaps, more importantly, any step taken by the ICO can, and will, be published.

This not only puts the organisation under the scrutiny of the ICO going forward, but puts any breach or investigation in the public domain.

Where trust and safety are the foundation stones of your organisation, this reputational risk could have consequences far more damaging than any monetary fine.