GDPR - the new 'Millennium bug'?

Roger Matthews looks at the significance to you of the EU’s forthcoming General Data Protection Regulations.

If it hasn't already happened to you, it will! Over the next few months you'll be approached with numerous offers to guide you (for a fee) through the 'demanding processes' of compliance with the EU's General Data Protection Regulations (GDPR).

"Aargh," you may say, as you read the doom-sayers' predictions of harsh fines and imprisonment (or both), here comes yet more compliance pressure on my overworked dental team!

However, you should be reassured by the Information Commissioner's statement that anyone (or any organisation that complies with the existing Data Protection law, is already well on the way to achieving compliance with the new requirements.

New Data Protection Act from 25th May

GDPR was issued by the EU in May 2016, giving all member states two years to comply. It's provisions will apply in the UK from 25th May this year. However, each country has some freedom to amend a few details and the UK Government has also decided to 'tidy up' and 'tighten up' on the existing law, the Data Protection Act 1998.

so, on 25th May there will be a new Data Protection Act 2018. This will encompass the GDPR requirements and the draft legislation is currently lumbering through Parliament. The

House of Lords has been debating it since October and it probably won't get the Royal Assent until sometime around Easter.

While we don't absolutely know what the final version will look like, we do know most of it, given that much of the discussion will not really be relevant to dentistry in particular, or primary healthcare in general.

12 step guide

The Information Commissioner's Officer (ICO) has already issued a '12 step guide' to the GDPR which is a useful start to check your current status. As a responsible practice you'll already be registered ('notified') with the ICO (don't be fooled by the earlier news that GDPR will abolish notification or annual fees!) Plus, you'll have a Data Protection Policy and an Information Security Policy (Information Governance compliance too, if you're an NHS contract-holder).

It is worth checking some things at this early stage, however. Do you obtain 'specific and explicit' consent from your patients to store their data? Do you have a privacy notice that tells patients (and prospective patients, for instance on your practice website) exactly what data you hold and who you share it with?

Data flows

It may seem simply - you keep their personal details and health records and because you know all about professional confidentiality, you

keep it all to yourselves. But what about your IT system? Is it backed-up in-house? Is it held in ‘the Cloud’? And if so, where exactly? Do you send patient information to any third

parties, such as insurance companies or Simplyhealth Professionals, for instance? You can be certain that Simplyhealth has rigorous security, but do others? Do you? Is any data taken home or stored on USB sticks or personal computers? It’s worth thinking it through and conducting an audit to look at all the data inflows and outflows.

When you know exactly where all your patient and staff data comes from and where it goes, you can rest assured that you’ll have ticked off one important stage in preparing for the 25th May deadline.

Read Part 2 of this blog

Read Part 3 of this blog

Errata - Postscript by Roger Matthews

A quick note before you read through my blogs on GDPR (or if you’re reading them again). The complexities of this new legislation (and the amendments taking place at the eleventh hour in Parliament) mean that my commentary has been “on the hoof” so to speak and based on available knowledge at the time of writing (starting last December). So there are a few points I now need to clarify and correct.

In Part 1 ‘GDPR - The New Millennium Bug?’ I mention specific consent from patients for processing data. It’s now clear that this is a bad basis to use since patients can withdraw consent. I correct it in Blogs 2 and 3. Oh, and the new law will be the Data Protection Act 2018 (not 2017).

In Part 2 'GDPR - Privacy Notices and Consent' I refer to patient consent possibly being needed for referrals. This arose from some EU commentaries on GDPR (The Section 29 Working Party if you must know) whose advice was rather vague. I now think that this is unnecessary by virtue of exemptions in the Act. I also got the new ICO fees wrong – but those were the ones she was suggesting to the Government at the time… plus ça change…

Finally in Part 3 'GDPR and Data Protection', written as recently as March, we have again been overtaken by events. It seems the ICO will ‘assume’ everyone is in Tier 3 for fees, so unless you want (or need) to pay £2,900 a year, make sure you correct her when your renewal notice comes around (on the anniversary of your current notification fee). The Report stage of the Data Protection Bill happened on Wednesday 9th May when there was a whopping 138 amendments to be considered. One of those of particular note was an amendment to exempt primary care providers with NHS contracts from appointing a Data Protection Officer. Sadly for NHS providers, the Government rejected this amendment.

The Bill now returns to the House of Lords for the final stages.

Roger Matthews

GDPUK Thanks SimplyHealth Professionals and Roger Matthews for their permission to reproduce these three blog articles.