Pat Langley, Chief Executive Officer from Apolline, shares some thoughts on the new EU General Data Protection Regulation (GDPR) which becomes effective on 25 May 2018.
The Data Protection Act 1998 (DPA) was designed to protect personal data stored on computers or in an organised paper-filing system. The Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them.
The world has moved on considerably since 1998, with widespread use of the internet, commercial internet services and the emergence of social media platforms. Most of us now have a huge amount of information stored about us by an increasing number of organisations, so it is only right and proper that we have enhanced regulations to protect us all. Many of the same principles of the 1998 Act do still apply, which means that if you comply with existing Data Protection regulation, you may already be quite well along the road to complying with the new regulations. Our experience at Apolline has been either that practices don’t always fully understand the 1998 Act, or they haven’t fully thought through how they apply to their practice. That means there may be quite a bit of work to do to comply with GDPR.
Compliance for your dental practice
Currently there is relatively little information available about what dental practices must do to comply and perhaps we should expect this given the fact that they are new regulations and are yet to be tested. That means that any and all information there is could change and it is best to regard all current ‘advice’ as a best guess at what is required rather than something that is clear and written in stone. It is true to say that no one has all the answers at the present time, which makes it very difficult for dental practices that want to be sure they are doing the right things.
ICO has a website for updates and it advisable to check this regularly for further guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Distilling information from GDPR workshops
In the absence of definitive guidance, I have attempted to distil what little information there is into practical steps practices can and should be taking to help them prepare for GDPR. I have had the privilege of doing this with the help of some 500 or so delegates who have attended the GDPR training workshops I have run recently for Practice Plan. These sessions have been invaluable in thinking through practical solutions to everyday practice situations.
Introducing our new course: GDPR for Dental Practices
We are delighted to unveil our new GDPR course, created specifically for dental practices, offering 2 hours and 30 minutes of verifiable CPD for participants.
Upon completion of the course, you will have an increased understanding of:
- Your legal obligations under the GDPR
- How to implement the changes you need to make to become compliant
- What this means for your day to day work.
Why should your practice bother with this?
Put simply, the potential consequences of non-compliance are enough of a reason to focus the mind of even the most anti-regulation practices. The data protection authorities will have some very robust powers for tackling non-compliance, including fines of up to 4% of turnover or €20 million for the most serious infringements, meaning that doing nothing is not a wise option!
However, it is also important to keep it all in perspective. The intention is not to paralyse businesses so our message is stay grounded, make some changes (see below) and be vigilant. It is also worth noting that there won’t be a whole army of GDPR inspectors calling on dental practices from 25 May! Issues are more likely to arise as a result of a data breach that could have been avoided or from a vexatious patient or team member (either current or previous). It is also worth remembering that the data protection authorities have made considerable efforts to educate the public about their rights.
Under GDPR, some things change, but not everything. In general, the GDPR builds on existing principles and adds tighter obligations and restrictions on businesses.
The GDPR requires that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and kept up to date (inaccurate personal data must be erased or rectified without delay)
- Kept in a form which permits identification of data subjects for no longer than is necessary
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It is clear that this is an evolving situation and no one, not even the Data Protection Authorities have all the answers to GDPR and its’ implications.
We will continue to evolve our thinking as new information becomes available and will keep you informed of any changes as they become apparent.