The General Data Protection Regulation (GDPR) will be coming into force in the UK in May 2018. The new rules bring about substantial developments in data privacy legislation which builds on the current Data Protection Act. It is designed to put in place safeguards to protect consumers and customers across all industries. These changes will impact the way organisations are able to store, manage and process personal data, and will have substantial repercussions for those who are not compliant.
What are the main issues?
This should be a concern for all healthcare organisations including the NHS, who are required to store and manage a huge amount of patient confidential information. To this end the NHS and other healthcare organisations will be facing many big challenges. Not least in sourcing and determining where and how they store confidential data. This will not be limited to electronic records, of which there will be many different systems across the multiple organisations. The rule will also impact physical records and paperwork.
There will also be a process needed whereby patients will have to opt in to allow any healthcare organisation to keep and maintain personal records, this is in itself is a substantial task.
Robust, thorough data audits need to be undertaken in order for organisations across the NHS to understand the scale of these data protection developments and the response needed to become compliant.
Aside from the legalities of the new regulations, as a public serving organisation, there are reputational ramifications if the controls and processes in place around patient data fail. Healthcare organisations, and particularly the NHS, are in the public eye and therefore ensuring robust controls exist is critical to continued confidence. A breach of security resulting in data loss could bring adverse publicity, operational downtime, financial loss and reputation damage, not with-standing the increased fines imposed by the GDPR (which could be up to 20m euros).
The new changes introduce a mandatory breach notification stipulation. This means that if controls are breached and data is lost or stolen the NHS would need to notify a data protection supervisory authority within 72 hours. This would need to support internal process that reports and manages efficient and transparent communications with affected individuals/patients. This puts potential breaches under public scrutiny which can have catastrophic results on an organisation’s reputation.
It is clear that the new regulations introduce big change for the heath sector, and it remains to be seen how prepared it is to respond. The key will be taking stock of current data and data sources to ensure that organisations stay compliant.