Privacy by Design: The General Data Protection Revolution

I'm Perran, the Data Protection Officer at DrDoctor.

In this article, I spell out the steps that we took in preparation for GDPR kicking in on May 25th, and the steps we have taken since then that go above and beyond the legal requirements. At DrDoctor we try to make things as clear as possible. So, in case you (somehow) missed it, GDPR is the new General Data Protection Regulation that is now law in all 27 EU member states (well, at least until Brexit?).

In the admitedly-sometimes-boring world of data and privacy protection, we are in the middle of a renaissance. The industrial revolution marked the development of new technologies, their application for widespread human benefit, a period of exploitation facilitated by that self-same technology, and a re-balancing of power. The same can be said for GDPR.

We stand on the threshold of evolution in personal data, and our relationship with it. Admidst recent scandals, our digital profile is gaining an increasing foothold on the core of what it means to be human. Already we can decode a person's entire genome. We can recreate neural pathways to replicate cognitive models. Some even claim to manipulate social media to affect the outcomes of elections.

At DrDoctor we're excited about the challenge that privacy-by design poses, and that GDPR has brought into limelight. The future looks bright for the use of data in healthcare, but it is a subject that must be handled properly. Healthcare institutions handle some of the most sensitive personal data out there. It even has its own "special category" under GDPR. This means that it comes with stricter rules on how you can handle, store and process it. And for good reason.

Patients have the right to expect that their information will be handled with care, will be stored securely and will only be processed when it is within an individual's legitimate intrest to do so. We’ve worked long and hard internally, and with our partners to make sure that all data we process and control is handled in the correct way.

Here's what we've done to date to make sure we're ahead of the privacy-by-design curve:

• We carry out Data Protection Impact Assessments with all of our clients upon partnering, as standard. We're also happy to support potential partners in pulling a Privacy Impact Assessment (PIA) together.
• All GDPR queries that we've recieived since the 25th May have had a personal reponse from me in my capacity as Data Protection Officer.
  We've updated our internal training documents. We're also implementing a plan to re-train all DrDoctor employees under GDPR guidelines.
• For a long time we have followed a secure two-factor authentication process to make sure that individuals can only ever access their own data. But we have recently added a consent step to this process, allowing patients to give us their consent to collect data on them. We use this data to allow patients to view digital letters, change or cancel their appointments and view their appointment history.
•  We’ve carried out a review of our website Terms of Service and Private Policy to make them easier to read so that everyone can understand what data we collect, how we use it and what to do if you'd rather we didn't.

We’ve decided to open our progress up to the world, because we want to be held up to the lofty standards we set for ourselves. And we’ll be sure to keep you up to date with our ideas about privacy over the coming months.

If you have any questions, queries or ideas about our GDPR compliance then we'd love to you hear from you. Please contact me at: perran.pengelly@drdoctor.co.uk