Q. I’ve heard a lot about GDPR, but I don’t really know what it’s about. Should I?
A. Jonathan Papworth, Co-Director, Person Centred Software
25th May 2018 may seem some time away, but by that date most organisations in Europe will have to become compliant with the General Data Protection Regulation (GDPR).
GDPR came into force in 2016, and there are now only a few months left to ensure that your organisation complies with this new Europe-wide regulation.
What is GDPR?
GDPR replaces the Data Protection Act 1998 (DPA) with a much more stringent regulation that will become enforced by the UK Information Commissioners Office (ICO) from 25th May 2018. The regulation puts control firmly back in the hands of the data subjects (the person the data is about), and puts significant new corporate requirements in place to ensure that all data processors and data operators are able to meet their data security obligations.
Most businesses, schools, even churches are gearing up to manage the impact of GDPR, and every social care provider will be impacted. This means there are vast amounts of work currently taking place across every industry focused on meeting the GDPR deadline and, as time passes, this work rate increases.
There is so much work involved in becoming compliant – involving contracts, suppliers, data-mapping and training – that putting this off until next year is not a viable option. Putting it off only increases the risks of non-compliance and the chance of being fined should a data breach occur. Professional service companies specialising in GDPR advice will become harder to engage and, almost certainly, demand will outstrip supply.
What’s changing with GDPR?
The purpose of GDPR is to protect individuals’ data that is held by third parties. It builds on the DPA, but takes it further by making data processors continually accountable for all the data they hold. This is a significant change that should not be under-estimated.
It gives individuals rights to know what data is being held about them, and gives them rights to have this information removed, unless there are legal obligations to keep that data.
The first important change is that manual filing systems are affected – not just computer data.
The ICO says that, ‘The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.’
If care plans are kept in a filing cabinet then these are affected, as are daily records and charts kept in a folder. Any manual records applying to staff or service users are also included in GDPR.
The second major change is that it is no longer good enough just to be compliant – there is a new accountability requirement. It means that you must be able to demonstrate that you comply and have put in place governance measures to minimise breaches and protect personal data.
One area that is often forgotten when it comes to data protection is data back-ups and replication. Older computer systems back-up data to USB drive or tape – these contain just as much personal data as the main computer systems and are, therefore, subject to the same regulations.
Equally, printing a care plan from a computer system means that there are both ‘manual’ and ‘automated’ copies – both needing documentation showing how they are processed.
The ICO says that this accountability requirement ‘Is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place’. If your organisation is fully compliant with the DPA, then the first step could be to document how data is managed, including any paper records.
Under GDPR, data subject access requests (DSAR) are also changing. These are requests by individuals to an organisation that processes his or her personal data. Under the DPA, people have the right to access information held about them, with some exceptions.
Under GDPR, the period that organisations have to comply with a DSAR reduces to one month. In addition, the penalty for not complying with the DSAR requirements (including the response time) will increase significantly and could cost the organisation holding the data (data controller) 4% of annual global turnover for the previous financial year or €20m, whichever is higher.
With the possibility of such a penalty, developing proactive ways in which to deal with DSARs is another other task that organisations will need to consider in order to comply.
How do I comply with GDPR?
According to the ICO, ‘The GDPR requires you to show how you comply with the principles – for example, by documenting the decisions you take about a processing activity.’
‘For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.’
Like many regulations, the words used can seem confusing, but ‘processing’ is simply storing, reading and editing information. This covers writing it down, typing, printing, emailing etc.
‘Processing’ can simply be replaced with ‘having information held in any paper or electronic form’, because the simple process of ‘having data’ makes someone a data processor.
So, to be lawful, it is necessary to have a reason for having this information. It is not appropriate to hold information unless there is a good reason for it – and the reason is documented.
Does GDPR apply to me?
The primary purpose of GDPR is to protect individual rights to private information held about them. GDPR is still being worked on, but in June 2017, the Working Party published its guidelines on high risk data protection functions. The document gives six examples where a Data Protection Impact Assessment (DPIA) is likely to be necessary.
There are two that apply to care providers:
- ‘A hospital processing its patients’ genetic and health data.’
- ‘A company monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc.’
Care providers are not hospitals, but heath data is a significant part of care plans, so care plans are included.
Whilst monitoring employees’ internet activity might not be relevant, the risk applies to monitoring any activity – and this includes clocking in/out, holiday and sickness records etc. It could easily be argued to apply to writing daily records, or filling in service user charts. Wherever the employee could be identified as the person undertaking an activity, this is likely to be classified as monitoring their activity.
The regulation applies to all individuals, be that service users or members of your staff; any monitoring that captures ’Person Identifiable Information’ carries equal weight under GDPR.
DPIAs are a tool for people that hold data to help implement data processing systems that comply with GDPR. It is mandatory for a number of classes of data. Of primary interest for care providers is ‘Processing Sensitive Data’.
What are the risks of GDPR?
The June 2017 Working Party Guidelines state there are financial risks of failing to comply with a DPIA.
They say, ‘Under the GDPR, non-compliance with DPIA requirements can lead to fines…Failure to carry out a DPIA when the processing is subject to a DPIA…carrying out a DPIA in an incorrect way…or failing to consult the competent supervisory authority where required, can each result in an administrative fine of up to €10m, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.’
This means that there is around a £9m fine simply for not completing the assessment of risk. There may never be a data breach, but simply not identifying that data is safe is classified as non-compliance.
In the unfortunate event of a data breach, there is responsibility to report it. Failure to report carries a fine of €20m (about £18m) or 4% of turnover – whichever is higher.
Many care providers will have avoided the DPA in the past by keeping paper records. The sector has been slower to adopt IT systems, and yet holds more sensitive data than many industries. However, GDPR applies to manual systems so every organisation must focus on meeting the GDPR regulation.
What about Brexit?
GDPR is a European Union regulation and is a single regulation that covers the whole of Europe. This is for consistency within the European Union and to help countries around the world who trade with Europe to have a single regulation to adhere to. Voting to leave the European Union does not affect this, as the ICO explains, ‘The GDPR will apply in the UK from 25th May 2018. The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.’
Given the timescales to negotiate Brexit, and the priorities of other demands, it is highly likely that this regulation will be implemented.
What action can I take?
There is a limited number of certified GDPR practitioners in the UK, and they cover all industry sectors. The wealthier sectors, such as financial and professional services, will be snapping these up at increasing day rates as we approach the deadline.
If you can’t find or afford a certified practitioner, there are DPIA Workshops run by the Government. They cost £495 per day and are currently only running in London. However, there are many third parties running GDPR training courses – simply Google ‘GDPR training’.
How are other care providers tackling GDPR?
David Robinson, IT Service Delivery Lead at Caring Homes, has been working on how to be GDPR compliant for some time. These are his recommendations:
- Start by starting. It might sound simplistic but for months many companies have seen the regulation coming, and not actually taken any internal action. Think about what you can do now.
- Consider your policies and processes. What is your GDPR policy? You need to develop one, and your staff need to know what is in it. As part of developing your policy and working towards implementing it, consider the personal data that you hold as an organisation. Where is it? Who has access to it? Do they need access to it? How is it protected?
- Review all contracts that you have. Contact all your suppliers that handle data. Consider your staff contracts and new employee contracts.
- Undertake a DPIA using the Data Protection Working Party’s Guidelines.
- Consider the shorter timescales in which you will need to comply with data subject access requests and how you will respond to a request.
- Train your staff. All staff will require training on the regulation, even temporary employees if they handle data. Take ownership, become accountable, know your responsibilities under GDPR as it really will apply to your company.
Is there anything else I can do?
There is a shortcut if your data is managed by a third party, and the data processing is managed by the third party. You are still responsible for ensuring compliance, but you could ask the third party to document how they manage GDPR compliance.
The simplest example of how this shortcut works is where you are using a fully hosted (cloud) system and the supplier provides a document on how their infrastructure meets GDPR regulations.
The first step to be taken could be to identify all your current computer systems and ask the suppliers how you can meet GDPR regulations – at least this will give a list of work to be done, although don’t forget any paper-based systems.
There is no hiding from GDPR as the deadline for compliance looms. Action needs to be taken urgently, but don’t panic. Start by speaking to your systems providers, consider what data you hold and how it is processed. Make sure all staff are aware of their responsibilities and get moving. It will feel like a lot of work, but the penalty for non-compliance is huge and the sector can’t afford another cost.
For further details about how you can prepare for GDPR, go to www.personcentredsoftware.com/gdpr