GDPR is coming, whether we like it or not.

GDPR - some of you have heard of it, others may not have but these 4 letters need to be taken seriously by everyone in 2018. Whether you are a sole practitioner or a big clinic, GDPR will affect many different aspects of clinic life. So the main question on everyone’s lips is: what exactly is GDPR?

This is the first in a series of 5 monthly blogs that will explain the key elements of GDPR for clinics. This month, we begin with an introduction and an explanation of key terms and definitions. These terms and definitions are fundamental to you understanding how GDPR will affect you and how you should approach it ensuring your clinic becomes compliant.

What is GDPR?

The General Data Protection Regulation is a new Europe-wide law that replaces the Data Protection Act 1998 in UK. GDPR sets out requirements of how organisations will need to handle personal data from 25th May 2018.

What information does GDPR apply to?

It applies to “personal data”, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference of an identifier. There are additional rules in GDPR for organisations who process special category data. This includes information about the patient’s health.

Why have they changed Data Protection Laws?

Think about this… how has technology changed since the 90s? Social media, administration systems and data sharing are all completely different and have taken on methods that could never have been predicted in the 90s. Given these massive changes, the current Data Protection Laws are now deemed “not fit for purpose.”

---

Here’s some key GDPR definitions:

Personal Data

Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier. Examples of personal data are: name, IP address, ID numbers.

Sensitive Data

GDPR classifies these are personal data:

• Racial or ethnic origin
• Political opinion
• Religious beliefs
• Trade union membership
• Physical or mental health condition
• Sexual life or orientation
• Genetic data
• Biometric data

A breach of “sensitive data” is deemed more serious and can result in big fines

Data Subject

An individual who is the subject of personal data. This does not include deceased individuals or individuals who cannot be identified or distinguished by others.

Processing

Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means such as:

• Collection
• Recording
• Organising
• Structuring
• Storage
• Adaptation or alteration
• Retrieval
• Consultation
• Use
• Disclosure by transmission
• Dissemination or otherwise making available
• Alignment or combination
• Restriction
• Erasure
• Destruction

So basically anything you do with personal data is deemed as processing.

Data Controller

“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.”

Data Processor

“A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Processors make no decisions, they just do what they are asked to do by the Controller.

Data Protection Officer

Someone who is responsible for overseeing data protection strategies and implementations to ensure compliance with GDPR.

---

How do clinics become compliant?

Well, no one system will make you compliant on its own. You will need to think about various aspects of your clinic and make changes to ensure you are in line with GDPR. This will include areas such as internal processes, staff training, security of data.

At the minute, some aspects of GDPR as still a bit vague as the detailed legislation hasn’t been finalised yet and there is no case law to use as a reference point. This means that right now, no-one has all of the answers to all the questions. Following guidance available on GDPR will aid you in your compliance journey.

Over the next few months we will be talking you through the basics and how clinics can begin tackling the task of GDPR compliance. We will be addressing questions such as: What do I need to include in my privacy notice? Do I need to appoint a Data Protection Officer? What are the rules of security under GDPR? Are there stricter rules on consent? What happens if I have a data breach?

Stay tuned on social media for the next instalment in the GDPR journey.

The Information Commissioner’s Office offers guidance on all things GDPR. Visit https://ico.org.uk to find out more.