GDPR

Full Health Medical are preparing... Are you?

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and agreed upon by the European Parliament and Council in December 2016, will replace the Data Protection Directive 95/46/ec on the 25th May 2018. The GDPR emphasises clarity, security and accountability by data controllers and processors. At the same time it strengthens and streamlines the right of European citizens to data privacy.

In an effort to do this it has given data protection authorities more robust power to tackle non compliance and fine parties 2% - 4% of global turnover or €20M whichever is higher.

While this is technically more work for organisations it will provide greater protection for us as individuals and will help to increase transparency and well informed consent.

The Data Protection Commissioner has prepared an introductory document with 12 steps for organisations to help them in preparing for GDPR. You can find it here: “The GDPR and You”. (note it is not an exhaustive list). In summary some of the main points from within these include the following:

  • Become aware, pick key personnel to be informed and start to prepare.
  • Become accountable, organisations are now required to demonstrate and document their compliance in transactions.
  • Ensure that the information you are providing the individual is GDPR compliant (see formal list). This includes topics such as the reasons behind why you are gathering their data and ensuring that the information given is clear, concise and easy to understand.
  • Address personal rights to privacy. Some of these include: subject access, to have inaccuracies corrected, and to object to direct marketing.
  • Prepare for access request changes. The new rules mean you can no longer charge for access requests (unless you can demonstrate that the cost is excessive). The timescale for processing the request is also shortening. Systems and policies for dealing with this topic and that which it encompasses are advised.
  • You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. All organisations need to carefully consider how much personal data they gather, and why.
  • Review your consent systems to ensure they are compliant with GDPR. You also need to ensure you have an effective audit trail.
  • If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
  • The GDPR will bring in mandatory breach notifications, which will be new to many organisations
  • The GDPR introduces mandatory Data Protection Impact Assessments (DPIA). The GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law.
  • Somebody will be required to take responsibility, in some cases a data protection officer will need to be appointed.
  • Multinational organisations will be entitled to deal with one Data Protection Authority, referred to as a Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

This document is created as an initial guide only and is not exhaustive. This document does not constitute legal advice or legal analysis. We suggest you begin your preparations reviewing the official GDPR website and considering getting official legal advice.