The General Data Protection Regulation comes into force on 25th May. Are you ready yet? If not, hopefully, this will help - but you’ve only got four months to make sure your practice is fully compliant!
Remember before you start, this is general information. You should always consult your solicitor or legal advisors before making final decisions on any action, such as issuing new contracts, as the GDPR is as much a legal matter as an operational one.
1) Appoint a Data Protection Officer and Records Management Officer
They will, along with your partners/board/CEO, be responsible for overseeing data protection within your organisation.
2) Understand what you’re trying to understand!
Go to the the ICO website and read through their Guide to the GDPR. The key things to get to grips with are:
What constitutes Personal Data - ANYTHING that could be used, even in conjunction with other data, to identify a person.
The expanded Data Subjects Rights.
The legal bases for processing.
Data Security recommendations.
The rules regarding data transfers - including overseas - and data processors.
The (rather scary) penalties for non-compliance!
3) Do a Data Audit so you know what you’re dealing with.
What information does your practice hold? What elements of it are personal, or sensitive? Where is it held, and who has access? Are there any third party data processors? If so, do you have a suitable contract with them? Try to classify this data by risk on HACCP principles - risk of a breach, vs probability of a breach - to classify data as high, medium or low risk. It is also useful to include a Data Flow Chart, mapping the movement of personal data through the organisation, from system to system, processor to processor.
4) Establish your legal basis for processing.
This may involve updates to your consent forms. This is something that will have to be done at the partnership/board/CEO level - generally, our industry has historically relied on Consent, but Legitimate Interests and Contracts may also be suitable. You will also need to make sure your Privacy Notices are compliant with the legislation - they should include information about Subjects' Rights and a general statement on what data you hold and and process, including your use of Data Processors.
You will have to write a Records Management Policy, detailing what you hold, why, and for how long - and this should be built around your basis for processing.
5) Establish suitable security protocols.
These should include physical security and IT security. If your data is largely handled by a processor, you will need formal written notice of what security measures they provide - or at least assurance that they use suitable measures - as well as local policies. At the very least, these should include good local antimalware software, firewalls, and a good backup policy. You can also find out more at the National Cyber Security Centre.
6) Establish Breach and Rights Request Protocols
You’ll need to be able to determine what a breach is, recognise it, report it if necessary and manage it suitably. You should write a protocol that’s suitable for your organisation and that will help you to achieve this. The ICO has a great section on breach reporting.
Also, if a Data Subject opts to exercise one of their Data Rights, all your staff need to know how to deal with it. The Rights Request Policy should be a simple protocol to allow everyone to deal professionally and lawfully with such requests.
These protocols should be simple flowchart-style documents, easily followed in the heat of the moment!
7) Sort out your Data Processors
If it is possible to do something in house, you generally should - you then have control over the data! However, many systems cannot be managed practically in house - emails, telephone systems, websites, PMS servers etc. It will be necessary to make sure that they are suitable, have appropriate security and compliance measures (e.g. Privacy Shield if in the US), and that you have contracts to cover your respective legal requirements. Don’t forget simple things like payment processors, email providers, and telephone systems.
8) Write a Privacy Proof Protocol
Under the GDPR, all “future projects” need to be “Privacy by Design”. You will need a written protocol to allow you to do this.
9) Combine all of the above into a Data Protection Policy
This should be available to all staff, and updated regularly. You will also need to review it on set dates (usually annually) and check for compliance!
10) Start a staff training programme
You cannot just say “read this document”, there needs to be proper training - and it must be recorded that it has been done. The good news is that after doing all of the above, your DPO and RMO will be in the ideal position to offer the training in-house and for free! Also, remember that for professional staff (vets and RVNs) this counts as CPD and so can be set against their CPD budgets.
Need more information?
Your first port of call should always be the Information Commissioner’s Office (ICO). Their website has a huge range of tools to help you become compliant:
In addition, if you need more detailed advice, they are really helpful if you call or email them. You can even apply for a free ICO Data Audit.
The UK’s National Cyber Security Centre is good for advice regarding network and IT security and backup protocols. In particular, we recommend:
For antivirus solutions, the two best resources are the AV-Test and AV-Comparatives websites. AV-Test is more comprehensive and uses larger samples, but AV-C has a different testing protocol which may be valuable as an addition.
For legal issues, always discuss with your organisation’s legal advisors!