The General Data Protection Regulations (GDPR) were published in the Official Journal of the European Union on 4th May 2016 and will be in force from 25th May 2018. The GDPR will replace the Data Protection Directive 95/46/EC and put into motion the biggest changes to the processing of personal data in 20 years. The United Kingdom will still be a member state of the European Union when it comes into force and, as domestic legislation is not necessary to implement the GDPR, any organisations processing personal data need to change dated policies and procedures to comply with the GDPR.
So what is the impact of this on the NHS? The answer is the GDPR has major implications on how organisations process patient data. The main buzzword on the GDPR appears to be the financial implications of any breach – with breaches having to be reported within 72 hours and contraventions being met with hefty fines. Guidance is eagerly anticipated from the Information Commissioners Office on how member states determine to what extent health organisations are subject to these fines. Regardless of this, the financial penalties will be much higher and dependent on the severity of the breach potentially up to €20m.
Organisations can no longer charge for subject access requests except in exceptional circumstances meaning organisations could also be losing thousands of pounds of income a year which currently contributes to the resource required to process requests. Time limits have also been altered, with the data being provided within one month. Finances aside, the processes currently in place to handle patient data safely will need to be overhauled. Consent models have been enhanced with implied consent no longer being an option and Data Protection Officers roles will be mandated.
Organisations need to evidence their compliance with data processing and this is where it becomes apparent that IT providers also need to update their processes in line with these changes. Effectively, the GDPR puts heavy obligations for data to be processed in a manner that protects it from unauthorised access and accidental loss, damage or destruction. Contracts will need to be varied with reference to GDPR with the amendment of terms in line with liabilities – meaning that IT providers may be fined should a data breach occur within their domain. This has huge implications as IT providers will be held liable where they haven’t been before. IT service providers will be looking to protect their position and mitigate these additional risks. In doing so, customers may find IT service providers charging more or fighting harder to limit their liability. The contracts will also need to reflect the changes to portability of data held on systems. IT systems will need to be able to provide support for information audits, although usually managed through a data warehouse it needs to be established that the data is available to ensure it is sufficient for compliance with GDPR.
This GDPR preparation comes at a time where NHS data security has been thoroughly tested and found lacking (Article: NHS Cyber Attack ). It is going to be a busy time ahead preparing for GDPR – on an already pressurised NHS it can only be hoped that it is prioritized accordingly. Preparation is the only way to ensure that GDPR does not become a burden in the future and is used as an opportunity to help organisations protect and process their data in the way in which GDPR intended.