To help you understand the implications of these new laws and how it could affect your work, we have compiled the following FAQs. If you have any questions, please contact
1. What is the GDPR and when does it become applicable?
The GDPR is European Union (EU) legislation that will become directly applicable in 2. What is the difference between the GDPR and the Data Protection (DP) Bill?
- The GDPR is EU legislation that will be applicable as law in EU member States (e.g. the UK) from 25 May 2018, irrespective of national legislation.
- The DP Bill will become law when enacted as the Data Protection Act 2017. It will explicitly bring provisions of the GDPR in to UK law and establish continuity of the GDPR in the UK post Brexit. The Act will legislate in areas where the GDPR allows flexibility at national level. It will also introduce legislation on processing for law enforcement purposes (in support of the EU Law Enforcement Directive) and by the intelligence services, and make provision for the Information Commissioner (the UK regulator).
3. How does this affect current UK law on data protection (DPA 1998)?
- The DPA 1998 will be completely repealed.
4. What are the penalties for non-compliance?
5. How does this affect me?
- Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.
The GDPR strengthens the controls that organisations (controllers) are required to have in place over the processing of personal data, including pseudonymised personal data.
Headline impacts are:
- Appointment of Data Protection Officer (DPO) mandatory for all public authorities
- Organisations obliged to demonstrate that they comply with the new law (the concept of ‘accountability’).
- Significantly increased penalties possible for any breach of the Regulation – not just data breaches (see above).
- Legal requirement for security breach notification.
- Removal of charges, in most cases, for providing copies of records to patients or staff who request them.
- Requirement to keep records of data processing activities.
- Data Protection Impact Assessment required for high risk processing (which includes the large-scale processing of health-related personal data).
- Data protection issues must be addressed in all information processes.
- Specific requirements for transparency and fair processing.
- Tighter rules where consent is the basis for processing.
Some of these requirements should be established good practice. Organisations that are performing well in their information governance toolkit scores should have a good baseline to work from. However, these legal requirements require organisations to take specified actions, and have evidence to demonstrate that they have done so.
Organisations should undertake a thorough review of the GDPR requirements, including the helpful and on-going guidance published by the Information Commissioner’s Office (ICO), to ensure you are compliant. This is especially important as areas which were good practice are now legal requirements (e.g. the Data Protection Impact Assessment – see below).
Other issues to think about include the information provided to data subjects. Most health and social care organisations provide privacy notices to their data subjects as standard which explains what they use personal data for and why etc.The ICO have published a code of practice on what should be included. The GPDR / DP Bill now requires specific information be provided to a data subject. Articles 12 – 14 of the GPDR set out what will be required.
6. What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.
- When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. A DPIA should be signed off by an organisation’s Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).
- A DPIA has to be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing.
- The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).
7. What/who is the DPO?
The DPO will also be responsible for monitoring the organisation(s) compliance with the GDPR.
It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO where they either:
- process special categories data on a large scale OR
- perform regular or systematic monitoring of data subjects
The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.
It is envisaged that the DPO will be supported by the organisation’s Information Governance (IG) and/or Information Communication Team (ICT).
8. Who can be a DPO?
Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are ‘public authorities’ taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest. A DPO team with a nominated contact for each organisation is an acceptable approach.
There are specific roles that the DPO cannot perform in conjunction with this new role. As a result it is important to consider EU Guidelines that state:-
9. What guidance does the ICO intend to publish
The ICO has already started to publish useful information and will continue to do so.
10. Do you need to re-seek consent if already obtained for the purposes of sharing data?
Please be aware the ICO have produced draft guidance regarding consent which may be helpful.
Organisations should review their existing consents before May 2018 to ensure that they are GDPR-compliant.
It will not be necessary to seek new consent if your existing consents are already GDPR compliant - although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.
If your existing DPA consents do not meet the GDPR’s requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (i.e. that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing.
Any exercise to contact individuals to refresh consent must itself comply with the DPA and Privacy and Electronic Communications Regulations (PECR).
11. How will the right to erasure be applied in a healthcare setting?
A data subject’s right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. There are other instances such as public interest in the area of public health (related to specific articles) or archiving.
This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult.
A request from a data subject exercising this right should be taken seriously and on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly and as per the requirements under Article 15 (“right of access”).
12. Is there a standard format to giving information held back to the patient?
No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.