GDPR is new EU legislation that will replace the Data Protection Act on the 25th May 2018. GDPR stands for ‘General Data Protection Regulation’. There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.
Different countries in the EU have previously followed different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules.
In the UK, companies have followed the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect data from breaches and hacks.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an ‘identifier’.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Examples of personal data include but are not limited to :
Essentially, GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers. This includes ALL care providers that process personally identifiable data.
1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to transform the way that they collect, process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is key to successful GDPR readiness.
2. Organisations will need to map current data collection and use, carry out a gap analysis of their current compliance against GDPR and then create and implement a remediation plan, prioritising high risk areas.
3. GDPR will require suppliers and customers to review supply chains and current contracts. Contracts may need to be renegotiated to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of compliance and higher risks of non-compliance.
4. Insurance arrangements will need to be reviewed and cyber and data protection exposure added to existing policies or purchased as stand-alone policies where possible. The terms of policies will require careful review as there is wide variation among wordings and many policies may not be suitable for the types of losses which may occur under GDPR.
Rights of Individuals
Under GDPR, individuals will have increased rights, including the following:
The right to be informed– you must let people know why you are processing the data, and provide a privacy notice to inform people and transparency over how you use personal data.
The right of access– you must give confirmation that their data is being processed and give access to their personal information.
The right of rectification– you must allow people’s information to be amended if information is inaccurate or incomplete.
The right to be forgotten– the right to erasure is also known as ‘the right to be forgotten’. This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The data you process must be:
The Information Commissioner Office’s guidance note states that you must:
Yes, you can, but you don't need to. GDPR compliance is self-certified. The GDPR expressly recognises ‘external certifications’ as acceptable mechanisms for demonstrating compliance however, it does not mandate any.
As a care provider, you will likely have data stored across many different mediums.
To be GDPR compliant you must have a documented reason for holding personal data, and an explanation as to why it is stored in each format. You must consider where your data is held:
You must ensure all your paper records are documented and accounted for, including but not limited to care plans, daily records, charts, staff information and 3rd party contact details.
Standard or Software Encrypted USB Sticks and Hard Drives
Under GDPR standard or even software encrypted USB drives will not be compliant.
A regular USB drive hoards all data that you store on it, never removing anything until it absolutely has to. Files are not truly deleted when you push delete on a file or empty the trash bin - not even when you quick format a regular USB drive - all the data in some cases may still be recoverable. This leaves the standard USB drive with not only traces of what has been stored on it, but in many cases full copies. A software encrypted USB drive is also not compliant as the encryption can often be removed.
Hardware encrypted USB sticks and Hard Drives do offer compliance, as there are crypto processors built into the devices.
Printing from a computer system
If you print records or care plans from a digital platform you will then have two copies. Both of these copies will need to be documented and evidence provided as to how they are processed.
Storing your documents with a cloud storage provider or a Digital Care System such as StoriiCare that uses cloud storage is a good way to become GDPR compliant. Check with your cloud provider to view their GDPR compliance documentation.
We recommend getting independent legal advice to support your preparations, but a good place to start if you have not already would be to:
StoriiCare gives you a quicker and easier route to becoming compliant with GDPR.
StoriiCare meets all the data processing requirements under GDPR. Alongside the likes of many governments, Adobe, AirBnB and Netflix we use Amazon Web Services (AWS), the largest cloud provider on the planet, to host our client data. We will provide all our clients with our GDPR documentation, and this can be used alongside your own documentation to evidence compliance.
Using StoriiCare gives you the peace of mind and knowledge that your information is secure and quickly accessible when needed, but only accessible to authorised individuals.
As a company you will still be responsible for ensuring your own compliance, but if your data is managed by a third party such as StoriiCare, you can ask the third party to document how they manage GDPR compliance.
View some of the companies that also use AWS for cloud storage - https://aws.amazon.com/solutions/case-studies/all/
Read more on cloud computing and AWS here - https://aws.amazon.com/health/?nc1=f_dr
View the AWS GDPR Help centre - https://aws.amazon.com/compliance/gdpr-center/