The General Data Protection Regulation (GDPR) came into force in May 2017 and healthcare providers should be aware of crucial new requirements that differ from the current Data Protection Act regime.
GDPR sets a much higher bar for accountability and compliance. So, with that in mind, here are three steps healthcare businesses should take to avoid stumbling at the first hurdle.
Review, revamp and retrain
Reviewing your current data protection policy in light of GDPR is a sensible first step. Then revamp policies and procedures and make staff training mandatory.
It’s worth paying for an expert to provide intensive training at your place of business or at a designated centre. You can then top-up this training with regular online staff tests and reviews.
There’s also much more focus on transparency — you’re now required to provide specified evidence of compliance.
So authorities will take a dim view of disorganized records management. Which takes us to your next step…
Perform an information audit
If you’re not sure exactly what patient information you have or where it came from, the time for a remedial audit is at hand.
The ICO reports that 22% of recent audits revealed inadequate logging, tracking, movement or security of paper records.
Your audit needn’t be onerous because it provides the ideal opportunity for you to test staff GDPR awareness and tap into the knowledge of experienced administrators to seek streamlining solutions.
And remember that if your audit reveals inaccurate information that you’ve shared with outsourced services, you’ll need to make amendments and inform these firms right away.
Designate a key person
Public authorities must have a data protection officer under the GDPR regulations, but the legislative test for private firms is more ambiguous.
But whether you have an in-house or outsourced data protection officer one thing is certain — you need to designate a trusted and trained records manager or information governance lead.
Staff members need one point of contact where they report potential data breaches or record and action Subject Access Requests from patients. The new legislation limits the completion window for these requests to one month rather than 40 days so efficient internal procedures are a must.
Completing Subject Access requests can be a complex process so if your data protection officer lacks the specialist training required to sift, analyze, redact, and report relevant information to tight timescales now’s the time to send them on a certified training course.
GDPR will place their activities of any outsourced services (data processors) under the microscope. So you’ll need to ensure that contracts clearly define new regulatory relationships, roles, and responsibilities.
Most medical services already take data protection seriously but GDPR places your provision under a laser-like focus.
Firms found guilty of breaching the new rules can face discretionary fines of up to 20 million Euros or 4% of global annual turnover.
Getting ready for GDPR now ensures business and patient health go hand in hand.