Leo Briggs explores the impact of the new General Data Protection Regulation legislation.

The General Data Protection Regulation (GDPR), introduced on 25 May 2018, is designed to be the world’s strongest data protection rules and modernised previous laws that protect the personal information of individuals. However, there is still much confusion surrounding GDPR, particularly how GDPR will impact upon dental practices and professionals.

The Information Commissioner, who enforces GDPR in the UK, has described the new legislation as ‘an evolution rather than a revolution’ in data protection law. However, it is important to be aware of some key changes to enable you to have a plan in place to address any outstanding issues in your practice. The DDU recommends you consider the following factors.

Do update your privacy policy

GDPR necessitates data controllers to inform patients about how their personal data will be used and their rights as a data subject. If you have not done so already, now is a good time to renew your current privacy policy to make sure it is clear and contains the following:

  • The identity and contact details of the data controller, and the data protection officer where relevant
  • The purpose of the processing and the legal basis for it
  • Any recipient of data or categories of recipients
  • The existence of the data subject rights
  • The right to withdraw consent at any time
  • The right to lodge a complaint
  • Retention periods
  • The existence of automated decision-making, including profiling and information about how decisions are made, their significance and consequences
  • Details of transfers to countries outside the EU and safeguards.

Further information can be found on the Information Commissioner’s Office (ICO) website.

Do appoint a data protection officer (DPO) if required

A data protection officer (DPO) is an individual who is to ‘assist you [in] monitoring internal compliance, [to] inform and advise on your data protection obligations, [to] provide advice regarding data protection impact assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.’

As part of the GDPR, a DPO must be appointed if:

  • You are a public authority or body (all practices providing NHS treatment are considered public authorities)
  • Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
  • Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

While the ICO does not explicitly describe large scale processing, it does state that relevant factors could include the number of data subjects, the volume of personal data being processed and the duration or permanence of the activity.

While a DPO is not required to understand all the implications of the GDPR, they must have demonstrable expert knowledge of data protection law and practice, be able to keep up to date with any changes and clarifications and understand the impact of the new legislation.

Do check if procedural changes are needed for subject access requests

Patients will still be able to request access to their own records and the criteria for subject access requests under GDPR remains the same. However, there have been some procedural changes under GDPR including:

  • The subject access request does not have to be in writing
  • Data subjects cannot be charged for copies of records unless the request is ‘manifestly unfounded, excessive or repetitive’ when you can charge a reasonable fee
  • You need to provide the information within one month
  • Requests that are unfounded or excessive can be refused but this should be explained and the subject told of their right to complain to the ICO and to seek judicial remedy
  • Access requests must be documented, including details of any delay in providing the information and when requests have been refused.

Consequently, it is important that these changes are reflected in practice procedure and that they are communicated to the team both verbally and in writing.

Do ensure you have all the necessary documentation

The introduction of GDPR has resulted in new obligations to document your data processing activities.

Organisations with fewer than 250 employees must document activities concerning high-risk processing activity such as health data. The ICO outlines all the information that must be recorded including, processing purposes, data sharing, and retention and provides templates for data controllers.

Do take all necessary measures to ensure data is secure

Under GDPR, practices will be required to undertake data protection impact assessments (DPIAs) before beginning any type of high-risk processing such as processing special category data on a large-scale.

Do take appropriate action if there is a data breach

A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. If a breach is likely to result in a risk to the rights and freedoms of individuals it must be reported to the ICO no later than 72 hours after you become aware of it. In practice, it is likely that a security breach of a patient’s personal data would have to be reported to the ICO.

You should also inform the data subject if a breach is likely to result in a high risk to their rights and freedoms, eg an accidental disclosure of patient records.

As GDPR is still relatively new legislation it is worth regularly reviewing the ICO’s website or contacting your dental defence organisation if you have any questions.

For more information visit www.theddu.com.