Design | Marketing | MEDIA

GDPR, oh no not that again…

We are all sick of hearing about GDPR, but are you ready? 

There is only a week to go until it becomes law across the EU. 

Don’t think that just because you aren’t a huge organisation with billons of bytes of data that it doesn’t apply to you. It does, and you need to be ready. 

The healthcare sector is well versed in dealing with sensitive information. The data that is moved around is already pretty secure, so the GDPR rules in the most part are probably already being adhered to… but don’t presume, you have a legal responsibility to make sure that you and your partners are following the new rules. 

In theory, the transition to the new GDPR rules for the healthcare sector should be fairly straight forward, if not entirely pain free. 

What is GDPR? 
General Data Protection Regulation (GDPR). 

In a nut shell, GDPR supersedes the existing Data Protection laws. The new framework gives individuals much more control of what data is held about them. It also restricts the storage of this data for reasons not directly associated with day to day running of your business, or supplying the service, or services, that the individual has requested. 
You must have a valid reason for holding the data, it must be used lawfully, and you must have explicit consent from the individual to hold and use the data. The potential fines for non-compliance are potentially eye-watering; 4% of total turnover or up to €20m EUR. Gulp! 

Data needs to be secure. 
Any data you are moving around needs to be done so securely. 

The hospitals systems and recognised healthcare software tools that you currently use should be compliant with the new rules, but you need to check with your supplier that they are also compliant. 

With regards to your own internal systems, you need to make sure you are adequately protected. 

All of your computers need to have up to date antivirus & malware software, you should password protect any documents that contain personal information. In addition you should use an encrypted email service (such as: Egress or Protonmail) when sharing any information with patients, health insurers, colleagues etc… 

If someone steals your data and you haven’t adequately secured it, you could be in a lot of trouble. 

If you do have a breach, you have 72 hours to notify The Information Commissioner’s Office… But prevention is better than cure! 

Right to delete data: 
An individual has the right to have all data held about them deleted. There are legal requirements to retain patient information of course, but as soon as that period of time has elapsed, you must delete the data unless you have specific permission from the individual, or reason to retain it. 

You should only keep data that identifies Individuals when it is necessary. 

If you keep data for research or clinical review purposes, but have no need for that data to be associated with an individual, you should anonymise it. If you are planning to retain anonymised data it would make sense to state this in your privacy policy. 

What is a privacy policy? 
You must have a privacy policy that explains what data you will hold on patients, how that data will be used, how long you will keep it, who you will share it with and if you intend to use it for marketing purposes. 

Make sure this is available and is given to patients, so they understand the details of how their personal information will be used. If you have a website, it makes sense to publish it on the site and give easy access to your policy to anyone who might want to see it. 
However, it’s not just your patients you need to think about; your staff, partners, contacts etc. will all have records, and they are also covered by GDPR. 

There are some useful healthcare specific guides and templates available to help you write your policy document; see “useful links” below. 

But aren’t we leaving the EU? 
The government has stated that it will keep the new rules after Brexit, so don’t think it’s going to fizzle out and disappear as we leave the EU in March 2019. 

8 Step Plan: 
1: Register with the ICO 
As a consultant you are required to register with the Information Commissioner’s Office. 

2- Review what data you current hold: 
What data do you have? – is it data you need, or are required to hold? If not, you need to delete it. 

3: Write a privacy policy: 
This needs to explain what data you will hold, how that data will be used, how long you will keep it, who you will share it with and if you intent to use it for marketing purposes. 

4: Check 3rd party contracts 
Your suppliers should also be GDPR compliant, and it is your responsibility to check with them that they are. 

5: Get consent: 
Put a clear process in place to obtain explicit consent from any individuals that you currently hold data on. 

6: Lock it up: 
Make sure your systems are secure; any data moving around needs to be protected. 

7: Plan for the worst, hope for the best: 
Have a clearly laid out policy on what to do if you have a breach. If you know about it, you must report it. 

8: Don’t panic: 
Will everyone get it right? Probably not, but if you have genuinely put processes in place to the best of your ability, but have still been compromised, you’re likely to get a slap on the wrist and told to put your house in order. If you have a breach and have not even attempted to be compliant, then you could be in a heap of trouble! 

There will be a period of adjustment as the rules come into force. As the requirements for an individual business becomes clearer, you should update and refine your policy accordingly. 

Useful links: 
Information commissioner’s office 
ICO Preparing for GDPR 
BMA GDPR guide 
GMC Guide to GDPR 
The MDU – Getting ready for GDPR 


We aren’t legal experts and our understanding of GDPR isn’t comprehensive. This article is simply an overview of what we have picked up over the last few weeks when looking at GDPR. We hope it is useful, but if you have any concerns about your use of data, or your compliance with the new rules you should consult a specialist in GDPR law and/or an expert in GDPR data requirements.