Healthcare IT, Learning, Running a company

How not to Screw up GDPR

GDPR at DrDoctor
Everyone is talking about GDPR, it may not be the most exciting topic, but it will be making a big impact on users. How will we go about not screwing it up? Have a read below to see what we’ve done to prep for May 25th 2018.

We take data protection seriously, as should every organisation, especially one dealing with sensitive data like patient and healthcare details. One of our main company OKRs for 2017/2018 was to make sure we nail GDPR.

Burning questions
One of the biggest things we did to prepare for GDPR was research with our lawyers. Having a good legal team in place to guide you through the process is essential and proved invaluable to us. We went to them with a list of questions ranging from what do we need to do, all the way through to what can’t we do. If you don’t have lawyers on hand then the Information Commissioner’s Office has a great set of checklists to get you thinking about the right things.

We developed an FAQ document which listed every major question and answer we needed with our legal team. Having all of these queries in one place has made it much easier for us to manage the changes we need to make as an organisation.

One of the key objectives to the FAQ document was understanding the flow of our different data items, who owns them (controller vs. processor – see below for details), how are they secured, when are they deleted or archived, and where are they all stored.

Everything but the kitchen sink
GDPR describes personal data as “any information relating to an identified or identifiable natural person” being someone who can be “identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. That’s quite a broad range. It’s split down into:

  • Not personal data – if a person cannot be identified in the data
  • Personal data – if a person can be identified in the data
  • Sensitive personal data – data consisting of information such as, racial or ethnic origin of the data subject, their political/religious views, physical or mental health condition etc.

Map it out
A good place to start is mapping out all the flows of data in and out of your company. Also include in there any data flows between sites within your company. What data items do you have? Thinking of the categories above, go through and tag each one. How are they stored? Are they encrypted? Are they archived or deleted? If so, when and how?

Role play
There are two roles in data and you will need to determine which role you play, if not both. You may recognise these from pre-GDPR days. Go through your data items and work out which ones you are controller and which you are processor for.

Data Controller: can decide the purposes and means of the processing of personal data

Data Processor: processes personal data on behalf of the controller

The distinction between the two roles is important for compliance. The GDPR treats Data Controllers as the main party for responsibilities ranging from collecting consent to enabling the right to access data, however one of the biggest changes from the outgoing DPA are the increased responsibilities (and fines) for Data Processors.

If a user requests to remove their consent for their person data they would need to contact the Data Controller to begin the request. The Data Controller would then share the request with the Data Processor to have them remove the data from their servers.

If you are a Data Processor you need to make sure you have a clear legal basis from the Controller for processing. If you are the Controller then you should put agreements in place with any Data Processors to govern how they use your (users’) data.

Consent is a huge part of GDPR and in most cases you will need people to provide explicit consent for their data to be processed. Consent needs to be freely given, specifically and needs to be informed (the person must know what they are consenting to). The processor must also be able to show that the person has given their consent, if asked.

The data subject has the right to withdraw their consent at any time. If you process children’s personal data and the child is under 13 years old you will have to get consent from the person who holds parental responsibility for them.

There are special circumstances where you may use another lawful basis, other than consent, for processing sensitive data. Examples of this are providing health and social care, matters that are in the public interest for public health, and defending a legal claim. If you believe you may be covered under one of these provisions then see Article 9(2) for details.

Practice makes perfect
The implementation of GDPR means users can request all of their data from you and you will have just one month to retrieve it all. If you are handling fairly small amounts of data this shouldn’t be too challenging (depending on your user’s size), however if you are dealing with a lot complex data from many users this request may be challenging.

Start with the register you have made of all your data items and use this as a basis for a plan on how you will go about retrieving them. Try out a dry run of pulling a user’s data and see how long it will take you. If you imagine several of these requests coming in alongside the background of usual day to day work, will you be able to do them all within 4 weeks? If not, you may need to revisit the processes for retrieval in order to develop a more streamline way of completing this action. If you are unable to process a request in one month, be prepared to face hefty fines.

After the fact
Be prepared to make changes to your processes as GDPR comes into full swing. Don’t feel like the plans you’ve put in place initially are set in stone as they will most likely change as we all nestle in. Like any new piece of legislation things will take time to catch up and for kinks to be ironed out. Staying on top of your data and making sure all employees that handle data are informed of new processes

What actually is GDPR?
The EU’s General Data Protection Regulation (GDPR), is the result of the EU working to align current data protection law with the evolving needs of users. Currently the UK relies on the Data Protection Act 1998, which can now be considered to be outdated. GDPR will introduce harsher fines for non-compliance and will give people more say over what companies can do with their data, it also makes data protection law pretty much identical throughout the EU.

Why has it been introduced?
The EU wants to give people more control over how their personal data is used. Current legislation was implemented before the likes of cloud technology, meaning it is obsolete. The EU also wants to give businesses an easier way to operate making data protection legislation identical throughout the single market.

When all is said and done
GDPR is incredibly important to users and to businesses. It will give users much more rights about their data and helps businesses to operate better in data protection. If you haven’t already put plans into place you may be out of time and should be looking to urgently consult your legal team.