The EU General Data Protection Regulation will come into force in the UK on 25 May 2018. It will apply to any organisation within the EU which processes personal data and it will also apply to organisations based outside of the EU but which process personal data of EU citizens. Key features include an increased emphasis on giving individuals control of their data, new measures to increase accountability of data controllers and additional data security requirements including an obligation to impose contractual conditions on third party processors e.g. cloud providers.

If you have not already started your preparations for complying with the Regulation, we recommend you do so without delay by:

  • Identifying personal data is held and used within the organisation;
  • Reviewing systems and data flows to determine how personal data comes into the organisation and is managed;
  • Reviewing current technical and organisational measures which are in place to keep personal data secure;
  • Identifying what changes need to be made to ensure compliance with the GDPR;
  • Allocating appropriate resources and appointing a member of staff to manage the process;
  • Updating your policies that deal with processing of personal data and responding to security breaches;
  • Training your staff on the new regime.

It is essential that your organisation complies with the GDPR rules by 25 May. The maximum fines for non-compliance are 4% of the organisation’s annual global turnover or €20 million, whichever is greater and prosecutions will inevitably attract bad publicity and damage your organisation’s good standing with the public. The Information Commissioner’s Office (the statutory enforcement agency) will not shy away from investigating, prosecuting and fining health and care organisations – particular attention will be paid to organisations dealing with ‘special categories’ of personal data, including sensitive health records. It will also be important to have appropriate systems and procedures in place to be able to respond efficiently and effectively to requests from individuals who have increased rights in relation to their data under GDPR.

Recent relevant successful prosecutions and fines include:

  • Various employees of health and care organisations accessing friends’, relatives’, colleagues’ and neighbours’ medical records without having a business reason for doing so and without consent and without the knowledge of the data controller
  • Council and health and care organisations’ employees emailing sensitive personal data about individuals receiving health or social care to their own personal email accounts without consent and without the knowledge of the data controller
  • A police force releasing sensitive personal data to a GP in the absence of the patient’s consent and where the officer concerned had received no data protection training
  • A local authority posting sensitive personal data of disabled people in an on-line directory with no security access arrangements and without their consent
  • A police force sharing sensitive personal data with a care agency in the absence of having any data sharing agreement in place.

In addition to the Regulation, you will need to review GDPR in conjunction with your other information governance responsibilities, including: the common law duty of confidentiality; the Human Rights Act 1998; the Freedom of Information Act 2000; the Caldicott Principles; and your contractual obligations relating to processing personal data.