If you’re not sure about whether your practice is data compliant, now would be good time to check, one year after ‘GDPR day’, Kim Campbell says.
We have just passed the first anniversary of ‘GDPR day’ (25 May 2018). So, what’s new?
The media circus surrounding GDPR has certainly left town, and the general fear concerning the ICO’s use of its increased powers seems to have reduced. However, we are finding that there is still much confusion surrounding GDPR in the context of dental practices and professionals.
We could dedicate a full edition of Dentistry Scotland to GDPR (but don’t worry – we wouldn’t do that to you!). It is an incredibly detailed subject and a bit of a minefield in certain respects.
However, we thought it may be helpful to summarise some of the key requirements of GDPR in the context of dental practices. We would recommend that you consider the following factors:
- Appoint a data protection officer (if required): it is a requirement of GDPR that a data protection officer (DPO) be appointed if you are a public authority or body. A DPO is an individual who is to ‘assist you in monitoring internal compliance, to inform and advise on your data protection obligations, to provide advice regarding data protection impact assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.’ So what? Dental practices are, in the main, privately owned and so that requirement is surely not relevant? Wrong. In terms of GDPR, any dental practice that provides NHS treatment (however minimal that may be) is considered to be a public authority. As such, if your practice provides any NHS treatment, however minimal, then you should ensure that you appoint a DPO
- Consent: under GDPR, dental practices are required to keep a record of when and in what form a patient gives consent to store and use their personal data. It is important to note that this consent cannot simply be inferred from inactivity or silence – it needs to be obvious and distinguishable from other matters and provided in an easily accessible form, using simple, clear language. In practical terms, this means you’re required to clearly explain to your patients what you are intending to do with their personal data. You should also bear in mind that a patient can choose to withdraw their consent once it has been given and the process for revoking consent must be made equally easy. The GDPR also introduces a requirement for parental consent for those patients under the age of 16
- Take appropriate action if there is a data breach: a personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. If a data breach is likely to result in a risk to the rights and freedoms of individuals, then it must be reported to the Information Commissioner’s Office (ICO) no later than 72 hours after you become aware of it. In the context of a dental practice therefore, it is likely that a security breach of a patient’s personal data would have to be reported to the ICO. The data subject (ie the patient) should also be informed if a breach is likely to result in a particularly high risk to their rights and freedoms (eg an accidental disclosure of patient records).
The above are just some of the steps that you should be taking to ensure compliance with your GDPR obligations.
There are murmurings that the ICO has not been overly strict for this first year in order to allow businesses, particularly smaller ones, a period of time to adjust to the new regulations. However, any such grace period is now almost over and so it is important to ensure that your practice is fully GDPR compliant from this point onwards.
If you have any concerns surrounding your practice’s GDPR compliance, then please do speak to a specialist dental solicitor and seek advice.