The key personnel in your organisation should be aware that data protection law is changing. Team members should have GDPR training provided by the practice.
A key person should be appointed to take overall responsibility for complying with GDPR and for ensuring data protection has a very high priority within the practice or organisation.
Practices should review and enhance their risk management processes and record their actions.
You should think about what could cause a data breach or security problem in the practice and what you could do to reduce the risks of a breach.
Think about the risks relating to paper records and electronic records and how you can mitigate these risks.
Some DO’s and DO NOT’s
- Do not leave people’s information out on your desk
- Do lock filing cabinets
- Do not leave data displayed on a screen (use a screensaver)
- Do not leave your computer logged on and unattended
- Do change your password frequently
- Do not choose a password that’s easy to guess
- Do not give your password to anyone, ever!
- Never send anything by fax or e-mail that you wouldn’t put on the back of a postcard
- Do not disclose any personal information without the data subject’s consent or verifying the enquirer (e.g. phone the police officer back via the station switch board)
And finally, …
Never put anything on email that you don’t want to see on the front page of the Daily Mail because…
The internet never forgets!
- Make a list of all the things in your practice that could cause a data protection breach or a security issue. Then add the risk involved and what you have done or need to do to mitigate the risk. This is your first step in being able to demonstrate that you are working towards compliance with GDPR requirements
- All practices should ensure they have a clear, robust, binding written contract with their practice management software suppliers and all other external data processors that ensures they comply with GDPR.
Think about the dangers in practice and ask yourself:
- Who can hear your phone call?
- Who are you actually talking to?
- Do they really need to know?
- Who can see your PC screen?
- Where does waste paper go?
- Provide training to all team members
- Appoint a key person for data protection responsibilities
- Risk assess the current data protection compliance
- Enhance the data compliance policies and procedures
- Make a list of all the things in your practice that could cause a data protection breach or a security issue
- Have robust contracts with practice management software suppliers and all other external data processors that ensures they comply with GDPR