The General Data Protection Regulation (GDPR) is one of the world’s toughest privacy and security laws.
It applies to any organisation that targets or collects data about people in the UK (UK:GDPR) and European UnionU (EU:GDPR) , regardless of origin.
UK:GDPR took effect in the Data Protection Act 2018 as a result of the UK’s departure from the European Union following Brexit. The key principles, rights and obligations are the same in both jurisdictions. From hereon in, we’ll refer to the legislation simply as GDPR.
As many practitioners (new and experienced) often have questions about GDPR this guide has been put together to provide you with a practical understanding of GDPR.
We’ll cover the following:
You can jump to whichever section you’d like to, but for a full overview we recommend reading from beginning to end.
Grab a cuppa, let’s get started!
Disclaimer: This document does not constitute legal advice. If you have any specific questions about GDPR, Privacy or Data Protection you should speak to a lawyer of solicitor specialising in this field.
GDPR: What’s your responsibility?
GDPR is a collective responsibility shared between the data controller (you – the clinician/practice) and the data processor if you have one (such as your practice management system provider).
Jointly, you are responsible for protecting the rights of the data subject (your client) in accordance with the regulation.
You can find a full copy of the regulation text here.
As the name suggests, you as the controller determine what you do with the personal data that you collect and how it is processed.
If you use a cloud-based practice management system, they are your processor and their responsibility is to protect the data and provide the processing required by you, as the controller.
Is my data processor GDPR compliant?
As a data processor we often get asked this question
Compliance implies a level of accreditation that doesn’t exist: no one is certified against GDPR.
Whether you’re a data controller or data processor it is your responsibility to comply with the regulation based on:
- your interpretation of the regulations
- the applicability of the regulations to your specific business
- your assessment of the risks associated with recording and processing personal data
We’re not suggesting that you should be complacent in any way, but it’s important to make it clear that there isn’t a box you can tick anywhere and say “yes” we are compliant.
If you (as a data controller) want some kind of assurance about your data processor, take a look at the relevant international standards.
There are a number that touch on or relate to GDPR but your starting point should probably be ISO27001:
Here’s the official definition from the ISO (International Standards Organisation):
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
Given the standard’s scope and the fact that it requires ongoing auditing and certification, it provides you (as a data controller) with a good measure of a processor’s ability to protect the integrity of your data.
For this reason, it’s probably the closest you will get to a tick in a box, but do keep in mind that ISO27001 and GDPR are not the same thing.
The key rights protected by GDPR
Sure, GDPR means some extra work for us all but data protection legislation is incredibly important.
The key rights protected by GDPR are as follows:
- to be informed (Article 13) – you need to tell clients who you are, why you need their personal data, how you will use it within your practice, how they can modify it, how they can access it, how they can retract consent to hold and process their records and how they can raise a complaint, should they wish to do so.
- to access (Article 15) – you need to provide your clients with access to their personal data if they request it and explain in clear, non-technical terms how you are processing their data.
- to rectification (Article 16) – you need to give your clients the ability to amend/change inaccurate or incomplete information that you hold about them. Moreover, if you have shared their information with another organisation you will need to notify them of the amendments.
- to erasure (Article 17) – in relation to healthcare records the “right to be forgotten” is a tricky judgement call. We suggest either seeking a legal opinion, talking to HCPC (if you’re in the UK and regulated by them) or your professional body.
- to restrict processing (Article 23) – you need to prevent any further processing/use of the client’s record going forwards or until they re-grant you the right to process their data.
- to data portability (Article 20) – you need to permit your clients to be able to move their personal data from one system to another in structured and commonly used format.
- to object (Article 21) – you need to let your clients know that they have the right to object to their data being used/processed. This includes direct marketing and research.
- not be subject to automated decision making (Article 22) – this is relevant if you provide certain types of data to health insurers. If you do, your clients have the right not to have judgements made about them based on algorithmic decision-making.
GDPR: Your Step by Step Setup Guide
Both the ICO (Information Commissioner’s Office in the UK) and the Data Protection Commissioner (Ireland) have produced step by step guides to help you with GDPR.
Below is the 12-step process mapped out by ICO & DPC with some commentary based on our own approach:
Step 1 – Awareness
If you’ve not already, you should:
- Make sure your team is aware of GDPR and the broad principles involved
- Maintain a steady flow of GDPR information to your team
- Commit resources and budget to GDPR compliance
- Make time to understand the regulation and documentation (of risks/processes)
- Make time for training/education/awareness if you have multiple team members
- Budget for any legal drafting of policies
Step 2 – Accountability
Some aspects of this step may be very straightforward whilst others may be more challenging.
The bottom line is that you need to know:
What personal data you hold:
If you’ve previously made the decision to put your client-related data into a cloud-based practice management system then it should be pretty easy to identify what personal information you hold.
Because when your data is in the cloud you don’t have any data stored locally or on different computers or different systems.
Everything is in one place.
However, if you’ve taken a more “fragmented” approach you might find this step challenging.
A fragmented approach might be something like: an Excel spreadsheet with client details stored on Dropbox; Word documents stored locally on your hard drive with Notes on them and perhaps some paper records of assessments or even a hand-written list of client-related tasks.
Where it came from:
As well as knowing what information you hold you’ll need to identify where it came from and going forward you will need to capture the source of each record that you add to the system.
Something along the lines of Walk-In, Web Enquiry, Clinical Referral should be suitable along with a date/time stamp confirming when the record was created.
Who you’ve shared it with:
For many, this could be the biggest challenge as you will need to keep a record of what and who you have shared data with.
In a clinic management system this is pretty straightforward as all outbound communications via email/SMS will be stored.
Maintaining this log will service a couple of purposes, amongst others:
- it allows you to keep track of where you have sent your client’s data
- it allows you to notify the relevant parties (that you have shared data with) if your client asks for a change to the record
Step 3 – Communication
Ensure you’ve done the necessary house-keeping and you have updated your privacy statement to reflect the requirements of GDPR.
Make sure that your clients are aware of key information like:
- The name of your company (as registered with Companies House or your local equivalent)
- The registered address of your practice
- Where they can raise a complaint if they wish to do so. This will be the relevant lead authority in your geographical area. For example, in the UK it will be the ICO (Information Commissioner’s Office) and in Ireland, it will be the Data Protection Commissioner.
Other matters (covered in later steps), like your legal basis to record a patient’s personal data and retention periods, may require legal advice so seek this out if necessary.
Step 4 – Personal Privacy Rights
GDPR is a fundamental set of rights that you should review and thoroughly understand.
Put together an action plan to ensure you comply with each specific right. Doing it this way will make the job less daunting and help to avoid any omissions.
Pay particular attention to these sections:
- the right to be informed (Article 13)
- the right of access (Article 15)
- the right to rectification (Article 16)
- the right to erasure (Article 17)
- the right to restrict processing (Article 23)
- the right to data portability (Article 20)
- the right to object (Article 21)
- the right not to be subject to automated decision-making including profiling (Article 22)
Step 5 – Access Requests
In the event that you receive an access request, you will need to have the internal processes in place to:
- Ensure your staff recognise it and act upon it immediately
- Record the access request with a time/date stamp in your practice management system or log
- Securely provide the information to your client free of charge within 30 days
Step 6 – Legal Basis
You might be able to put together an acceptable privacy statement that covers the key aspects of GDPR, but we advise speaking to your lawyer (or better still a lawyer that specialises in Data Protection) and get professional assistance.
Amongst other things, it will need to include:
- Your legal basis for processing your client’s personal information.
- Details on how long you will keep their data for.
A good practice management software will provide you with a data hygiene tool that allows you to see the retention periods of your records and manage them accordingly.
Step 7 – Consent
Many clinicians are familiar with the concept of clinical consent, however, consent in the context of GDPR relates to gaining your client’s agreement for you to store and process their personal information.
When you gain consent you will need to do two things:
- Keep a record of when and how you got consent from the individual
- Keep a record of exactly what your client was told when they granted consent
Step 8 – Children
As part of any initial assessment, most clinicians dealing with children will record the child’s age.
Under GDPR a child is any individual under the age of 18 and as such consent to capture and process personal information must be granted by an adult who must be identified as part of the consent process along with their relationship to the child.
Step 9 – Reporting Breaches
GDPR places multiple responsibilities on both data controller and processor in relation to data breaches.
- measures to detect possible breaches
- reporting a breach to the relevant supervisory authority and/or the individual impacted, depending on the nature of the breach
- investigating the cause of any breach
Data processors should have measures in place to detect system-based data breaches and you will be notified in accordance with their contractual obligations if a breach occurs.
From your perspective breaches are potentially more likely to occur as a result of human intervention.
To mitigate this and aid detection there are some simple measures that you must put in place such as ensuring that all users have unique logins and enabling two-factor authentication.
Both of these measures will ensure that any malicious actions will leave an audit trail that can be used to help with detection, reporting and investigation.
You may also want to take a look at insurance: Hiscox Cyber-attack and data breach policy may well be appropriate.
Step 10 – Data Protection by Design
You are legally required to “design-in” privacy.
Whilst this might sound slightly daunting it makes absolute sense in the context of the rest of the regulation.
GDPR shouldn’t be thought of as a one-time thing where you tick the box and forget about it.
Every future action/initiative/project which impinges on personal data should be carefully considered with a clear eye on privacy.
Where a significant risk is identified you will need to go through a formal process and conduct a DPIA (Data Protection Impact Assessment).
ICO has produced some very helpful guidance on this which you can take a look at here.
Step 11 – Data Protection Officer
Although GDPR doesn’t oblige every business to employ a Data Protection Officer, it’s good practice for someone in your organisation to
- have the requisite knowledge about GDPR
- be responsible for complying with GDPR
- ensure that data protection is “designed in” to your business planning/processes changes
- evolving, maturing and improving how you comply with GDPR
Step 12 – International (Lead Authority)
If your organisation operates in multiple countries you should map out where your organisation makes its most significant decisions about its processing activities.
This should help you to determine your ‘main establishment’ and therefore your lead supervisory authority.
For example, if you primarily operate in the UK your lead supervisory authority would be ICO and this is where your clients would go if they wanted to lodge a complaint or if you needed to report a data breach.
GDPR may seem daunting, but it can be kept on top of if you:
- apply some effort to research and understand the regulation
- apply some common sense
- think of the regulation in terms of the protections that you would want and expect for yourself and your family
The main thing to remember is that data is personal if it can be related to an individual.
We have found that there are a number of situations where client names/addresses need not be referenced and the same will be true in your practice.
Whilst it’s nice & friendly to include someone’s name in a confirmation/reminder email/SMS, it’s not always necessary and as soon as you remove it you eradicate any issues about patient identifiability.
Similarly, in documentation, you might elect to use a universal identifier like the NHS number instead of referring to clients by name.
If you’d like to use WriteUpp to store your client records, rest assured that:
- Our entire infrastructure is hosted on Microsoft’s world-class Azure platform to ensure we fulfil our obligations as your data controller.
- We continue to roll out measures and features to protect the integrity of the data that we hold, including two-factor authentication.
- We have all the key features that clinicians (data controllers) need in a practice management system and management accounts template to comply with GDPR.
WriteUpp are not GDPR specialists and are not the organisation you should look to for formal advice: seek legal advice if you are in any way concerned about your GDPR policy.