1 / 80

GDPR – General Data Protection Regulation – what you need to know

GDPR – General Data Protection Regulation – what you need to know. 12 Steps Towards Compliance. Welcome to the Practice Managers Association

wyanet
Download Presentation

GDPR – General Data Protection Regulation – what you need to know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR – General Data Protection Regulation – what you need to know 12 Steps Towards Compliance

  2. Welcome to the Practice Managers Association The Practice Managers Association (PMA) is a UK-wide membership body that provides insight, training, education and interaction opportunities for those involved in General Practice. Its membership comprises Practice Managers, GPs, Practice Business Managers, – all working in partnership. It seeks to facilitate and promote best practice amongst its members. The PMA offers education and support to those involved in the business management aspects of general practice. It is free to join and, by doing so, you’ll benefit from all we have to offer – and there’s plenty. .

  3. Housekeeping Smokers Fire Safety Timings Breaks /Lunch Toilets

  4. Facilitator Paul Dodd

  5. Organisations obliged to demonstrate that they comply with the new law • Appointment of Data Protection Officer mandatory for all public authorities • Significantly increased penalties possible for any breach of the Regulation – not just data breaches • Data Protection Impact Assessment required for high risk processing • Legal requirement for security breach notification GDPR – What’s New

  6. Data protection issues must be addressed in all information processes • Removal of charges, in most cases, for providing copies of records to patients or staff who request them • Specific requirements for transparency and fair processing • Requirement to keep records of data processing activities • Tighter rules where consent is the basis for processing. GDPR – What’s New

  7. Who has our data?

  8. Why do we need it?

  9. Why do we need it?

  10. Why do we need it?

  11. Why do we need it?

  12. Breaches

  13. Data Day Hygiene - ICO https://www.youtube.com/watch?v=CdYWoLC7TNI

  14. Break

  15. Education and Awareness • Inform decision makers and key people about GDPR • Communicate impact and identify compliance challenges under GDPR. • Examine organisation’s risk register, if available. • Understand impact implementing GDPR could have on resources. • Use the first part of the GDPR’s two-year lead-in period to raise awareness of pending changes • Acknowledge compliance may be difficult if left until last minute

  16. Education and awareness https://ico.org.uk/for-organisations/resources-and-support/health-sector-resources/

  17. Create the culture for compliance I stopped explaining myself when I realised people only understand from their view and perception

  18. What’s your view? https://www.youtube.com/watch?v=r3WDDVWaW9w

  19. What we agree on Principle - Patients come first Definition – What does coming first mean? Method – What’s the plan – Where is the focus? Details – What do I do?

  20. Accountability and Audit • Show how you comply with data protection principles. • Do you have good policies and procedures in place? • Document personal data held, where it came from and with whom you share it. • Consider doing an information audit on data you store, process and transmit • If data sent to 3rd party is inaccurate, must tell them.

  21. What to audit • What personal data you hold? • Where it came from? • Who you share it with? • The lawful basis for processing it • What format(s) it is in? • Who is responsible for it?

  22. Audit Overview

  23. Audit Overview

  24. Individual Data Audit

  25. Update Privacy Notices Individuals now have stronger data protection rights. • Review all privacy notices • Plan for any changes to privacy notice in time for GDPR • When collecting data, continue to provide your identity and how you intend to use personal data BUT NOW YOU MUST... explain legal basis for (1) processing data, (2) retention periods and (3) individual’s right to complain when get it wrong.

  26. What do we need to tell people? • your intended purposes for processing the personal data; • the lawful basis for the processing. • This applies whether you collect the personal data directly from the individual or you collect their data from another source.

  27. Lunch

  28. Understand Individual’s Enhanced Rights Check policies and procedures to ensure cover individual’s enhanced rights under GDPR. • Subject access requests • Correction of inaccuracies • Erasure of information • Prevent direct marketing • Prevent automated decision-making and profiling • Data portability

  29. Update Subject Access Request Procedures Must handle subject access requests (SARs) in 1 month, not 40 days • Cannot charge or refuse SARs unless manifestly unfounded or excessive. • Use new policies / procedures to show why request refused. • Provide information on data retention periods and right to have inaccurate data corrected to person making SAR, • Large organisations should consider logistics of SARs carefully • Give information about SAR policies and procedures online? • Consider conducting cost/benefit analysis

  30. Communicating the request

  31. SAR – The cost What can we do? How many do you get now How big Who does what and for how long Physical resources needed

  32. Identify Legal Basis for Data Processing • Assess types of data processing you do, identify legal basis and document it. • People have stronger right to have data deleted when obtained via consent. • Give details of legal basis in privacy notices (see Step 3) and SARs (Step 5) Legal bases broadly same under GDPR as in DPA

  33. Lawful bases for processing

  34. Legitimate interests Vs Consent In cases where there is a choice including consent Who does the processing benefit? Would individuals expect this processing to take place? What is your relationship with the individual? Are you in a position of power over them? What is the impact of the processing on the individual? Are they vulnerable? Are some of the individuals concerned likely to object? Are you able to stop the processing at any time on request?

  35. What’s the basis – Where do our records fit? HR Records Medical records Requests for examination and treatment Screening tests

  36. 7. Obtaining Consent • Review how you seek, obtain and record consent • Both DPA and GDPR refer to ‘consent’ and ‘explicit consent’ • Difference between two unclear. Both forms are freely given, specific, informed and unambiguous • Consent has to be a positive indication of agreement to process personal data. Not inferred by silence or pre-ticked boxes • Consent must be verifiable. Controllers must be able to demonstrate consent was given. • Set up an effective audit trail to show consent.

  37. 8. Processing Children’s Personal Data • Introduce systems to verify individuals’ ages and to gather parental or guardian consent for processing of children’s personal data. • GDPR introduces special protection for children’s personal data, especially under commercial Internet services e.g. social media • Child - anyone under 13 years • Consent must be verifiable • Privacy notice written in language children understand

  38. Data Protection Officers • Designate data protection officer if required; or designate person responsible for data protection compliance • Where does this role sit within corporate governance? • Someone must take responsibility/accountability in all cases. • Consider external data protection advisor • GDPR requires some organisations to designate Data Protection Officer • E.g. public authority or organisations doing regular and systematic monitoring of data subjects on large scale.

  39. Special Categories of Data • Racial or ethnic origin, • Political opinions, • Religious or philosophical beliefs, • Trade union membership, • Genetic data and biometric data for the purpose of uniquely identifying a natural person, • Health • A person’s sex life or sexual orientation

  40. Records of Processing Activities Article 30 of the GDPR requires organisations to maintain a record of the processing activities under their responsibility. The records must contain: – (a) The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer(b) The purposes of the processing(c) A description of the categories of data subjects and categories of personal data(d) The categories of recipients to whom the personal data has been (or will be) disclosed (including to third countries/international organisations)(e) Where applicable, transfers of personal data to a third country or an international organisation, including their identity and documentation of suitable safeguards (if applicable)(f) Where possible, the envisaged time limits for erasure of the different categories of data(g) Where possible, a general description of the technical and organisational security measures

  41. Records of Processing Activities If you have less than 250 employees then you must keep records of any processing activities that: • are not occasional; • could result in a risk to the rights and freedoms of individuals; or • involve the processing of special categories of data or criminal conviction and offence data. You may be required to make these records available to the ICO on request

  42. Records of Processing Activities If you have over 250 employees, you must record the following information: • name and details of your business (and where applicable, of other controllers, • your representative and data protection officer); • purposes of the processing; • description of the categories of individuals and categories of personal data; • categories of recipients of personal data; • where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place; • retention schedules; and • a general description of technical and organisational security measures. You may be required to make these records available to the ICO on request

More Related