1. General Data Protection Regulation (GDPR)- an overview

2. GDPR became law on 24 May 2016 and will take effect on 25 May 2018.
The General Data Protection Regulation (GDPR) applies to personal information and subsumes the Data Protection Act 1998 (DPA).
GDPR became law on 24 May 2016 and will take effect on 25 May 2018.
Although GDPR entered the statute books before the Referendum it has been confirmed that the principles will still apply after the UK leaves the EU.
GDPR replaces the Data Protection Act. The DPA will be 20 years old next year and we are now using data in ways that we didn’t even imagine 20 years ago so the legislation needed to be brought up to date to keep pace.
The Regulation became law last year and will come into force in May 2018.
Even though it entered the statute book before the Referendum the government has confirmed that when we leave the EU this law will stand.
This is because huge amounts of data flow between the EU and the UK so we will need to comply with their standards for that to continue

3. What Stays the Same
The principles are similar to but more detailed than those in the DPA and introduce an accountability requirement: it will be necessary to demonstrate how one is compliant with the Regulation.
Any organisation which can demonstrate good compliance with the DPA and IG Toolkit (or any successor framework) will be well-positioned for compliance with the new regulation.
The Information Commissioner’s Office (ICO) will remain the UK regulator.
The Human Rights Act and European Convention on Human Rights will remain an important element of privacy and information law in the UK, in particular the right to a private and family life.
Effectively the regulation just goes further than the DPA.
All the best practice that we have been championing for the last 5 years now becomes law.
The ICO will still be the Regulator for the UK and the current information and privacy laws will continue as before.

4. What Will Change for Individuals
Wider rights of subject access and information about processing, the removal of the fee and shorter timescales
The right to data portability: the provision of personal data electronically and in a commonly used format
Greater transparency about the legal basis for processing
The right to have information erased and inaccuracies corrected
Stricter conditions for consent and the right to object.
The difference for individuals is that they will have much broader control over their own information.
There will be enhanced access rights
The right to portability means that individuals can re-use their information across different services. So we could be asked to provide information in a particular format or even transmit data directly to another organisation. Conversely we could be asked to receive information in the same way.
Organisations will have to be more open about what they are doing
The right to erasure or right to be forgotten will not apply to health records but will certainly apply to staff records so needs to be taken into account by the Trust. The right to have inaccuracies corrected means that we have to be able to annotate the health record to show if something is incorrect.
Individuals will be able to object to any processing and be specific so they will be able to differentiate between sharing with various organisations and we will have to be able to accommodate these requests.

5. Implications for the Organisation
1. Awareness Raising
Implementing the GDPR will have significant resource implications.
Compliance will be difficult if preparations are left until the last minute.
For the Trust the implications are quite extensive - there will be big pieces of work to be done so an awareness of the changes needs to be the first action to be taken

6. what information we hold
Need to understand
what information we hold
how and why data flows in and out of the organisation
3. Communicating Privacy Information
Review of current privacy notices to include GDPR requirements: the legal basis for processing the data, data retention periods and that individuals have a right to complain to the ICO.
We need to conduct an audit of all the information we hold and also what we do with it.
The data that flows in and out of the organisation needs to be accurately mapped to ensure we have the correct permissions in place and that they are documented correctly
The way we tell our patients what we do with their information also needs to be updated to comply and we will have to proactively inform the public of their rights.

7. A review of policies and procedures to ensure compliance.
4. Individuals Rights
A review of policies and procedures to ensure compliance.
5. Subject Access Requests
Update procedures and plan how we will handle requests
within the new timescales
The impact of the changes could be considerable with significant administrative costs
Consider extending systems that allow people to access their information easily online.
Although the Regulation is primarily an information law it will affect the way we do a lot of things so all policies and procedures will need to be reviewed to ensure we are working to the standards expected
Subject Access requests – under the Regulation we cannot charge a fee for providing access to the information we hold and the timeframes will reduce from 40 working days down to 20. The estimate is that applications will increase by about 40% when the service is free. Also most of the applications received at the moment are to provide evidence of an injury for a claim so are relatively straightforward – an ED attendance for example however the thinking is that the public will in the future request everything we hold each time they apply. It’s not going to cost them anything and it’s always interesting to see what information a large organisation holds about you.
There is therefore a considerable resource issue to be addressed for this service and of course also the drop in income to be considered

8. 6. Consent
A review of how we are seeking, obtaining and recording consent and whether any changes are required
The GDPR is clear that controllers must be able to demonstrate that consent was given. We should therefore review the systems we have for recording consent to ensure we have an effective audit trail.
7. Children
There are significant implications for services for children and the collection of their personal data. Parent or guardian consent must be verifiable and the privacy notices must be written in a language that children will understand.
Consent is another big area of concern. At the moment we rely quite heavily on the absence of an objection to show we have consent however under the new legislation this will not be sufficient. We will also need to record that consent has been given in such a way as to enable it to be audited.
The way information is managed by Paediatric services will need to be reviewed – for instance the way we inform patients needs to be understandable to children. So simple diagrams, pictures and very simple language.
There are also tighter controls around parental or guardian consent.

9. 8. Privacy by design and Data Protection Impact Assessments (DPIAs)
Change of name from Privacy Impact Assessment (PIA).
Currently only best practice
The GDPR will make DPIAs an express legal requirement
Will be required when there is a specific risk in data processing, for example where new technology/process is being implemented
When a DPIA indicates high risk data processing, we will be required to consult the ICO to seek advice as to whether the processing operation complies with the GDPR.
We have had privacy impact assessments for quite some time however the Regulation makes them mandatory for the new processing of sensitive data – which all health data is classed as.
PIAs are often completed in the middle or at the end of a project. That means all decisions have already been made and the PIA is just used to rubber stamp the project however from next year that will not be sufficient and they will need to be completed at the beginning so the any projects involving the processing of identifiable data can be shaped around the legal requirements.

10. 9. Data Protection Officer
A designated Data Protection Officer (DPO) is required
Assess where this role will sit within our organisation’s structure and governance arrangements
The DPO will take proper responsibility for our data protection compliance and should have the knowledge, support and authority to do so effectively
Need to consider now how to fill this role; we will need to designate a DPO to meet the GDPR requirements
The Regulation requires that the function is adequately resourced.
A Data Protection Officer needs to be appointed as a matter of urgency to lead the Trust in this work.
The role is a mandatory requirement and under the Regulation has to be resourced adequately

11. 10. Data Breaches
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows us to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Individuals can seek punitive damages from both controllers and processors – so if a sub contracted company breaches our data then as the controller we would be held liable as well. Individuals do not need to show loss or damage – they only need to claim distress.
Data breaches – putting a timeframe on the reporting of a breach is a new requirement although the ICO tends to take a dim view even now if organisations delay too long. 72 hours is going to require a considerable tightening up of the decision making process.
We are also required to inform the public if they are affected by a breach and be proactive in ensuring they know their rights. Individuals can sue and the Regulation makes this very easy. They also don’t have to prove any loss or damage they just need to show they were upset. The legal profession are referring to this as the next PPI. Once the public understands the implications there will be a huge potential for jumping on the bandwagon.
Responsibility has changed here as well. If an organisation that we have sub contracted the processing of our information to breaches then they are liable but as the data controller so are we. .

12. Fines for a breach of the GDPR are substantial
11. Non – compliance
Fines for a breach of the GDPR are substantial
Regulators can impose fines of up to €20M or up to 4 per cent of an organisation’s annual budget for breaching the basic principles of processing including conditions for consent or breaching data subjects’ rights
Where there is a breach of a controller’s obligations including security or notification of a breach the fine is lower to a maximum of €10M and 2%.
For a large general hospital that could mean a potential fine of approximately €12M.
Unfortunately the fines have increased enormously and these aren’t for data breaches but for a breach of the Regulation itself. There are 2 levels up to €20M or 4% of annual budget for breaching a data subject’s rights and a lesser fine of up to €10M or 2% for breaching a controller’s obligations
Remember this isn’t for a breach of confidentiality as the individuals will be suing for that this is just for a breach of the law.
The concern is that the Regulators have been fighting for an increase in fines for some time so it is unlikely that they won’t use the powers that they have now been given. There is an expectation that we will see some hefty fines levied in the first couple of years.
It does need to be said that every Trust lives on a knife edge where personal information is concerned. We have so much identifiable data circulating around with so many people having access that there is always a very real danger that we could have a breach. That is why we need to have our processes in good order so we can show that we have been as responsible as possible.

13. 12. Insurance
Policies will need to be reviewed and cyber and data protection exposure added to existing policies or purchased as stand-alone policies where possible
The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is much broader than just a compliance challenge it requires us to completely transform the way that we collect, process, securely store, share and securely wipe personal data.
we will need to review our insurance policies to ensure they cover us for data privacy exposure
This is more than just compliance as it will affect everything we do with information.

14. Accountability is a recurring theme of GDPR
Accountability is a recurring theme of GDPR. Data governance is no longer just a case of doing the right thing; organisations need to be able to prove that they have done the right thing to regulators and to data subjects and potentially to the media often years after a decision was taken
GDPR joins anti-bribery and anti-trust laws as having some of the very highest sanctions for non-compliance
Accountability is a theme of the Regulation. It isn’t enough to do the right thing we need to record our decisions because we might have to show years later how we reached a decision.
This shows the importance that the government places on this as GDPR joins anti bribery and anti trust law with the highest sanctions for non-compliance

15. Are we prepared for GDPR?
We need to appoint a DPO to lead on preparing the Trust
advice is that this should not be the SIRO, the Caldicott Guardian or an addition to another role.
however it could be a shared function with another Trust as it probably won’t be a full time role after next May.
They must have access to the Board and be senior enough to be able to stop a process immediately.
This role is not the same as a Compliance Officer as they will need to be technical, proficient in IT systems, information security and business continuity
Appointing a DPO is probably the single biggest factor at the moment - this cannot be just a compliance officer as they will need to have a good knowledge of data privacy law as well as the technical side to be able to understand the IT.

16. Are we prepared for GDPR?
identify and put in place the resources needed to achieve compliance
train our senior staff initially and then put in place training for all staff
conduct an audit of the information we hold, what it is and how it is used
review our data sharing processes, contracts, consents, decision making processes
map our data flows in and out of the organisation.
identify where the risks are and address them