GDPR for GPs

GDPR is arguably the most important data legislation change of recent times and makes the task of keeping data safe more vital than ever before. Here we explain GDPR for GPs and detail what steps GPs need to take to be compliant.

From May 2018, the new regulations come into place which will require some new elements to be considered and some significant enhancements to the original regulations, so you will have to do some things for the first time and some things differently. The GDPR regulations largely apply to personal data held by an organisation. This includes: names, photos, email addresses, bank details, posts on social networking websites, medical information and computer IP addresses. It is therefore vitally important to ensure that you collect and store confidential data, including patient and staff contact data, in accordance with the GDPR. NHS Digital will be publishing a checklist to help practices implement the requirements of the new GDPR.

All practices must also maintain a business continuity plan, which should include details of how it will respond to data and cyber security incidents. Practices must also report data security incidents and near misses to CareCERT (An NHS digital system to deliver essential cyber security updates across the whole NHS). The GP IT services should help practices report and manage such incidents.

What can Practices do to Prepare for the May 2018 Deadline?

  • Make sure you monitor, save and know who you share data with and where that information is held and stored at your practice.
  • Let your employees know why you require their personal data and that of the patients, the legal requirements, justifications and the application of consent. Ensure staff are fully trained in all aspects of the new legislation.
  • The Information Commissioners Office (a public body which reports to government and upholds information rights in the public interest), recommends that anyone processing data at ‘large scale’ should have a Data Protection Officer, who is a person responsible for verifying that you are complying with data protection.
  • Subject access requests (SAR) under the new rules differ from how you have been dealing with these under the current Data Protection Act. You can no longer charge patients coming to you with an SAR and where you had 40 days to deal with these types of requests before, you now only have a month to comply with the request.
  • The GDPR has higher requirements for consent. You will need to devise clear opt-out options and good records of consent.

Overall, the GDPR will be an administrative burden for practices, but in so many ways it’s all about processes and procedures and isn’t as daunting as it perhaps seems at first glance.

Useful Links:

NHS Data Protection Training

Data Security Protection Requirements

If you would like to discuss the impact of GDPR on your practice with us in more detail or if you have any questions, please contact Hannah Farmborough or call on 0207 429 4147 to be put in contact with a member of our Healthcare team.

This article originally appeared on the blog of our member firm, MHA Moore & Smalley.