Are you prepared for GDPR?
18th Oct 2017
Are you prepared for GDPR?
As of 25th May 2018, GDPR compliance will be mandatory to all businesses that process and handle personal data. The new regulation will supplement the existing Data Protection Act.
Currently, The General Dental Council is not offering GDPR training to dentists and instead, leaves practitioners responsible for their own road to compliance.
In order to comply, practices will need to review their approach to governance and how data protection is handled.
Here are several steps you can take to be ready for GDPR:
- Awareness: Decision makers and key individuals in your organisation need to be aware of GDPR. Employees need to appreciate the impact of GDPR and identify areas to be looked at in order to comply.
- Determine the information you hold: Document what personal data you hold, where it came from and who you share it with. GDPR requires you to maintain records of all data processing activities.
- Communicate privacy information: Review your existing privacy policy and determine whether changes are needed for GDPR compliance. For example, under GDPR you will need to include your lawful basis for processing the data.
- Patients’ rights: Procedures should be checked to ensure they cover all the rights your patients have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Prepare for subject access requests: Update your procedures and plan how you will handle requests to take account of new rules.
- Determine the lawful basis for processing personal data: Individuals rights will be modified depending on your lawful basis for processing data. For example, if you use consent as a lawful basis for processing, patients will have a stronger right to request deletion.
- Alter how you gain consent: Consent must be freely given, specific, informed and unambiguous. Positive opt-in must be gained – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
- Alter how you gain consent from children: GDPR sets the age for when a child can give their own consent to this processing as 16.
- Prepare for data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all practices to report certain types of data breach to the ICO, and in some cases, to individuals.
- Data Protection Officers: You should consider whether you are required to formally designate a Data Protection Officer (DPO).
GDPR is a complex legislation, requiring a dramatically different approach to the handling of patient data. Unfortunately, ignorance will not be accepted as an excuse, so your preparation is key!
Click here to read the full article on how you can prepare your practice for GDPR.