A GDPR joke:
– Do you know a good GDPR consultant?
– Yes, I do.
– Great, can you give me his email?
If you run a GP practice, or any organisation that processes NHS patient data, you’ll know the joy of gearing up for compliance with the General Data Protection Regulation (GDPR) legislation, which became law from 25th May.
As a small business whose main concern is supplying software and services — specifically to analyse patient data — to NHS organisations, we have always been diligent about demonstrating our compliance with data protection laws and information governance requirements. It means our customers are confident that we’re trustworthy and compliant processors of NHS data.
Nevertheless, we’ve also been on a voyage of discovery to ensure every part of our business process is GDPR ready, and we thought it important to share with you our findings and how we ensure compliance. So, to stretch the metaphor to breaking point, climb aboard as we navigate the choppy seas of GDPR compliance.
Part of journey to compliance has been spent assessing the risks associated with the key GDPR principles and ensuring we have processes in place to mitigate those risks. Those principles are:
- Lawful, fair and transparent processing
- Purpose limitation
- Data minimisation
- Accurate and up-to-date processing
- Limitation of storage in a form that permits identification
- Confidentiality and security
- Accountability and liability
So what have we been doing to ensure we are compliant?
The GDPR requirements have added another level of complexity to our existing processes. We’ve spent a lot of time reviewing and evaluating the data we collect from customers for support, contractual and account management reasons. This is to ensure that we collect and process only the data we need.
We’ve reviewed the roles of data controllers and processors in all our contracts, updated processing agreements and issued amendments to our processing agreements to all our customers. When reviewing our contracts, we worked with our customers to agree the variations and ensure compliance. This was no small effort, but ensures that our lawful basis for processing personal data is fair and transparent. Likewise, our reasons for processing the data are legitimate and made explicit in our processing agreements.
To keep our users up-to-date, we sent them our Customer and User Privacy Notice explaining how we collect, store and use personal data about customers and users of our software and services.
Did we really need all those emails asking for approval for further communications?
Probably not. Turns out many are unwarranted and some were possibly even illegal.1 They’re usually sent by companies wanting to send direct marketing emails to consumers, yet some NHS Trusts were under the misapprehension that, for GDPR compliance, they needed to secure explicit permission from patients to send them appointment reminders.2
One of most important points to remember about complying with GDPR is that you must have a lawful basis for processing someone’s personal data. Consent is only one of the six lawful bases, and is not required to send patients potentially life-saving appointment reminders. Consent is there to stop direct marketers deluging you with unsolicited spam, or playing fast and loose with people’s personal data.
GDPR is a huge and welcome leap forward for data privacy. People are now much more aware of the consequences of sharing their personal data. And this comes at a time when new healthcare oriented technologies, such as fitness trackers and internet enabled devices, are able to provide data that, when allied to advanced population health management systems, can help improve patient care and better health outcomes. You can read more about this in our forthcoming discussion paper: Population Health Management in the New Digital Age.