I’m really (really!) hoping this will be my last blog on the GDPR for a while… Once we hit 25th May, although of course the ongoing burden of monitoring and maintaining compliance and implementing Privacy Impact Assessments will remain, I intend to take a nice long break from the subject! However, there is one absolutely vital facet we need to remember. For those of us who have spent however long up to our eyeballs in this stuff, it’s easy to forget that for most of our colleagues, it’s just a set of initials. Unfortunately, in the eyes of the law, this is not sufficient!
What does the law require of us?
Fundamentally, it is the duty of the organisation to provide suitable training to any and all of their staff who process personal data (which in most veterinary practices will be everyone, to a greater or lesser extent). While this is not explicitly stated in the legislation, it is nevertheless a requirement.
If you have a Data Protection Officer, then they are specifically required to oversee “training of staff involved in processing operations” (Art. 39(1)(b)). If you do not have a DPO, their duties devolve onto either the CEO (i.e. senior partner or principal), or the organisation as a whole - including the need for training.
On a more basic level, however, all organisations are required to be compliant with the GDPR. This is why the ICO have determined that staff training is a necessary component of demonstrating compliance in accordance with the Principle of Accountability.
Why is this important?
We see this all the time in practice don’t we? If a client doesn’t understand why they need to do something, then they probably won’t do it - or at least won’t do it properly! Good concordance breeds good compliance.
It’s exactly the same with your staff - your written documents may be perfect, and you may have all the ideal policies, but if your staff don’t know about them, then they aren’t worth the paper they’re written on. At the moment, it appears likely that failure to provide suitable training would cast the liability for any subsequent data breach back on the organisation as a whole, or at least management and their DPO.
More importantly, staff who aren’t trained are more likely to make mistakes, potentially dangerous ones. We live by this all the time in practice - after all, it’s one of the key features of the Veterinary Surgeons Act, that only people with suitable training and CPD can carry out clinical procedures. So why should data protection be any different?
How can we achieve this?
Well, if you want to you certainly can throw money at the problem - I know that there are a lot of companies who will provide GDPR solutions. However, while it is probably worth making sure that there is someone in the practice who is well resourced, it needn’t be too expensive. There are a wide range of resources available - the ICO’s Resources and Support page is invaluable, for one thing! - plus there are a number of very good free, or cheap, webinars available. However, this is almost the icing on the cake - any training has to be focussed on YOUR practice, YOUR policies, and YOUR problems. It is worth remembering too that this training is legitimately CPD, and can be recorded as such by vets and RVNs (a fact which may sweeten the pot!).
At VetHelpDirect, we use a self-study guide, with key facts and points about our policies interspersed with questions and opportunities for staff to reflect upon them in relation to their specific role. The whole sequence (including videos!) takes about 3-4 hours, but can be done in modules. This is followed by an open seminar, at which everyone discusses what they’ve learned, and how it applies to them. They also sometimes (uncomfortably but definitely helpfully) tell us when we’ve missed something important that we need to add…
We also do “on-demand” training - we had an open Q&A on marketing emails just a couple of weeks ago. Finally, we have a schedule of refresher training so that no member of staff goes more than 12 months without being reminded of their responsibilities.
This took some time to write and prepare - but (with the exception of some CPD done by our DPO) was all written and produced in house. As a result, it addresses the issues we have, and the policies we have written to deal with them. Additionally, the principle of see one, do one, teach one applies here as much as anywhere else - we probably learnt as much by writing the programme as we did from days and weeks studying the guidance and legislation!
Is this the only solution? No, of course not. But the important thing is that we have a centralised training programme, which is tracked to minimise the chance of anyone falling through the cracks. It’s also planned, so the risk of someone becoming a detailed expert in one small area of the law but not knowing how to handle a routine issue is also as small as we can make it.
The bottom line is that you need to produce some form of training to your staff, that is suitable to their roles and responsibilities in your practice. This must be documented and recorded, and periodically refreshed. But at least your staff can offset it against their CPD requirements!
If you need advice about the GDPR, please call us and we’ll do what we can to assist! However, your policies and approach will need to be tailored to your practice, and so we do recommend that you seek advice from your own legal team.