The General Data Protection Regulation (GDPR) represented a major shift in the way organisations are allowed to process personal data. From the impact on sending marketing information to how you hold personal data about your employees and service users, the regulations have far-reaching implications for the care sector.
Although most organisations in the care sector are likely to have heard about GDPR, there is still a significant amount of confusion about what organisations need to change to comply and the practical implications. Any organisation found not to be complying could suffer significant fines and damage to their reputation. In addition, the Quality Care Commission is also likely to take a dim view of organisations that consistently fall significantly below the GDPR standard of compliance. It has been almost a year since GDPR came into force but many organisations are still not in compliance. Here at Stephens Scown we have advised many organisations in the last few months who thought they had “sorted” their GDPR compliance but when an issue has arisen (such as a subject access request received from a customer or an ex-employee or a data breach has occurred) it has revealed significant weaknesses in their compliance program.
Time to Review and Reflect on your GDPR Compliance Program
Now the dust has settled it is time to take stock and review what you have done to date and what further work needs to be done. As a general checklist those organisations in the care sector should consider the following items:
ICO Notification Fee
The ICO has recently announced that it has just fined 25 care homes for failure to pay the ICO notification fee – it is therefore important you check if you need to pay this fee and that the correct payment is made to avoid the embarrassment and cost of being added to this list.
Conduct a Thorough Data Mapping Exercise
As GDPR requires you to tell people what you are doing with their data you cannot do this without carrying out a detailed data mapping exercise to identify what personal data you hold, where it sits, how it is used and where data is shared with third parties. In the rush to meet the 25th May deadline many organisations put in place generic privacy policies and notices that were not relevant to how they actually handled personal data within their organisation – such policies are unlikely to stand up to ICO scrutiny.
Know your Legal Basis for Processing Personal Data
It is important to know the legal basis you are relying on for each data processing activity you carry out. If relying on consent ensure you have obtained adequate consents where they are needed. Many organisations are relying on legitimate interests as the legal basis for processing personal data but have failed to record their legitimate interests assessment which is essential for demonstrating accountability.
Client Facing Documents Updated
It is important not to forget to update all of your client facing agreements and policies in line with GDPR. Many organisations are still using documents which still refer to the Data Protection Act 1998 and do not comply with GDPR.
Review of Third Parties
It is important to review your agreements with third parties who have access to data (such as marketing companies, email hosting companies, payroll providers etc.) and identify those who may be transferring personal data outside of the EEA and the legal basis they are relying on to make such a transfer. Sharing personal data with other healthcare organisations should also not be ignored and should be within the scope of this review. Under GDPR if you appoint a third-party to process personal data for you there are certain mandatory data processing terms that need to appear in your contract with that third-party.
Training, training and more training
Over 90% of data breaches are due to human error. You can have the best IT systems in the world but still be breaching GDPR regulations if employees do not have secure passwords and are not adequately trained in your data protection policies. Training is therefore key. GDPR requires that staff are trained on protecting personal data and if a complaint is made to the ICO or you need to report a data breach the ICO will ask when your staff were last trained on data protection, particularly in cases where human error is to blame.
Don’t Forget Staff
With all the focus on sending marketing information and customer data don’t forget that your GDPR compliance program also needs to cover how you handle the personal data of your employees and contractors.
Responsible Person for Data Protection Queries
Even if you are not required to appoint a data protection officer under GDPR it can still be helpful to have a central point of contact within your organisation that understands data protection and can deal with queries as they arrive. You should also have a contingency plan in place if this person is unavailable in an emergency.
Know what to do in the event of a breach or receipt of a Subject Access Request
You need to ensure that you have a robust breach policy in place (certain data breaches need to be reported to the ICO within 72 hours) and that staff know what to do in the event that a subject access request is received to ensure the tight timescales under GDPR are met.
Don’t Forget CCTV
Due to its impacts on privacy the use of CCTV requires several considerations:
- Have you carried out a privacy impact assessment for use of CCTV?
- Do you have correct signage for CCTV?
- Have you registered with the ICO?
- As a separate type of processing, CCTV surveillance will need to be included in any policies you have. It will also need to be listed as a method through which you collect personal data.