The key personnel in your organisation should be aware that the data protection law has changed. Team members should have GDPR training provided by the practice.
A key person should be appointed to take overall responsibility for complying with GDPR and for ensuring data protection has a very high priority within the practice or organisation.
Practices should review and enhance their risk management processes and record their actions.
You should think about what could cause a data breach or security problem in the practice and what you could do to reduce the risks of a breach.
Think about the risks relating to paper records and electronic records and how you can mitigate these risks.
Some DO’s and DO NOT’s
- Do not leave people’s information out on your desk
- Do lock filing cabinets
- Do not leave data displayed on a screen (use a screensaver)
- Do not leave your computer logged on and unattended
- Do change your password frequently
- Do not choose a password that’s easy to guess
- Do not give your password to anyone, ever!
- Never send anything by fax or e-mail that you wouldn’t put on the back of a postcard
- Do not disclose any personal information without the data subject’s consent or verifying the enquirer (e.g. phone the police officer back via the station switch board)
And finally, …
Never put anything on email that you don’t want to see on the front page of the Daily Mail because…
The internet never forgets!
Think about the dangers in practice and ask yourself:
- Who can hear your phone call?
- Who are you actually talking to?
- Do they really need to know?
- Who can see your PC screen?
- Where does waste paper go?
- Training should be provided by the data controller
- A key person should be appointed for data protection responsibilities
- Risk assess the current data protection compliance
- Enhance the data compliance policies and procedures