Robert Brooks looks into the impact of data compliance for GP practices and healthcare providers.

Now that the new data protection regulations are in full force and we are all seeing data protection stories in the news, it is of no surprise that we are seeing an influx of individuals making use of their newly found rights. The fact that some of these rights have always been there is by the by. The understanding is there and individuals are using the law to their advantage. One of the key rights that are being exercised at an increasing rate is our old friend the Subject Access Requests or SARs as they are colloquially known.

The concept behind Subject Access is to allow data subjects (you and me) to understand whether or not an organisation is processing their data and what organisations are doing with their data, why they are doing it and, how it is being looked after, great! Sadly this right is often used by individuals to cause organisations painful problems, often after some form of disagreement.

SARs can be painful, this is because they can be time consuming and costly, especially if you haven’t got a process in place to deal with them. This pain can be amplified if you have to redirect manpower from your day to day business. The British Medical Association, for instance, has stated that doctors are feeling the pinch from the recent influx of data access requests following the arrival of the new legislation.

The GDPR has placed extra pressure on doctors and their support staff and, the knock-on affect is the reduction of time spent with patients. This is on top of all the other stresses our health system is under.

This effect is being felt in many organisations. Not least in healthcare, where stakes are high and efforts brought about by the regulation change are not letting up, and this will become the norm.

So what do you do? Well, for GPs the necessity to not play compliance roulette is overbearing, especially when you are processing Special Category data, which can often relate to children and or individuals that are considered vulnerable. Therefore, you must get your obligations right. This means that many organisations are left thinking that either you redirect valuable internal resource away from providing medical care to deal with the requests (and train those individuals), or you employ a Data Protection Officer.

But there is another way; individual practices or practices that wish to group together could bring in a trusted and qualified third party. We at Stephens Scown have many years of experience supporting our clients with these types of requests. We can be parachuted in and securely work to expedite these types of requests with very low impact on the organisation. We can deliver training and build relationships that will, over time, allow the organisation to deal with these requests more efficiently and with less input from us.

If you would like more information about support or have questions regarding the new regulations, please do get in touch.

Robert Brooks is the privacy officer at Stephens Scown.  Robert advises clients on data protection and privacy.  To discuss this article or another data protection issue you can get in touch either by telephone 01392 210700 or by email ip.it@stephens-scown.co.uk