Ignore GDPR at your peril
9 February 2018
It’s tempting to see the new General Data Protection Regulation (GDPR) as more legislation that can be safely ignored. After the GDPR takes effect, and all the lawyers, consultants and event organisers have made their money, it will be business as usual, right?
Unfortunately the answer is no. For healthcare organisations, doing nothing before the 25 May deadline is risky bordering on reckless.
While it’s true that in many ways GDPR simply reinforces principles in existing data protection legislation, it also introduces some fundamental changes that anyone dealing with healthcare data, specifically personal medical information, needs to heed.
In 2015/16, 45% of all data security breaches reported to the Information Commissioner’s Office (ICO) involved the health care sector. In May 2016, the ICO handed out fines totalling £365,000 to NHS organisations.
Under the GDPR, maximum fines will increase from £500,000 to €20 million. If the biggest fine handed out to an NHS organisation to date - £325,000 to Brighton and Sussex University Hospitals NHS Trust – were scaled up under the new rules it could reach €15 million.
Speaking at a recent PCC event, David Hill, legal director at Hill Dickinson, said: “There’s money to be made creating a sense of alarm about GDPR, but there are some objective reasons we need to get to grips with it. If you do nothing, you will almost certainly be in breach.”
Since 2010 European lawmakers have been concerned by patchy implementation of data protection law. With each country free to enact its own legislation, there is no common understanding of fundamental concepts. For example, definitions of “personal information” vary from country to country.
A decision was taken to replace the current EU directive, with its wide scope for interpretation, with specific regulations which each country will need to enshrine in law.
Hill warned against the hope that GDPR could become irrelevant post-Brexit. Financial services companies and other organisations hoping to trade in Europe after the UK’s withdrawal will need to be GDPR compliant. Meanwhile new legislation implementing GDPR is currently making its way through the UK Parliament. “GDPR is here to stay,” Hill says.
“A lot is not new but is augmenting what is already there or making explicit what is now implicit,” said Hill.
AMONG THE CHANGES ARE:
- New/amended definitions and scope
- New/amended data protection principles
- New/amended conditions for processing
- New rules about consent
- New/amended data subject rights
- New obligations for data controllers and processors
- More robust regulation and enforcement.
For health care organisations, where the data being processed is sensitive personal data – or what GDPR now terms “special category data” – the rules are set to become much tighter. Organisations cannot rely on inferred consent: it must be explicit.
Hill warns NHS bodies not to rely on consent where there is no genuine choice on offer. For example a patient undergoing a course of treatment should not be given a choice about whether the clinicians concerned can access their medical records. “It’s fine to say in effect we’re not asking for your consent because it’s part and parcel of the service,” Hill says.
“A way can always be found for any processing that is legitimate. For example, get the patient to sign to acknowledge what you propose to do with their data rather than obtain consent.”
The law makes no distinction between large and small organisations, so while trusts and other large NHS bodies may feel confident that they have the capacity to deal with new rules around record-keeping and the compulsory appointment of data protection officers, others, such as general practices may be concerned about another tsunami of bureaucracy heading their way.
Acknowledging that understanding and implementing the new arrangements could seem onerous, Hill said this was another area where it made sense for practices to join forces. For example, LMCs and federations could develop policies that can be shared by their practices. While every practice will be required to have a data protection officer (DPO), it is allowable to act as DPO for more than one organisation – again, this could be a role performed at federation level on behalf of a number of practices.
The PCC and Hill Dickinson event Implications of GDPR on the Health Care Sector is repeated on 12 April in Leeds. Other local events may also be run, subject to sufficient demand.
To book your place at the Leeds event: http://bit.ly/2Ex0nvP
For all other enquiries email firstname.lastname@example.org with GPDR in the subject line.
Support updates Case studies
Sign up to receive regular news.