|GDPR|

What is GDPR?

A massive opportunity for hospitals…

• The next 6 months

• Maintaining compliance

…The trouble with opportunity is that

It comes disguised as hard work!

I will be covering

|GDPR|

The next 6 months?

Awareness

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should make sure that decision

makers and key people in your

organisation are aware that the law is

changing to the GDPR. They need to

appreciate the impact this is likely to

have.

Immediate steps:

• Data Governance Committee

• Awareness Plan

• Mandatory DP training

• GDPR Strategy

• GDPR added to EMT agenda –

Impact Fines, Litigation etc.

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should document what personal

data you hold, where it came from

and who you share it with. You may

need to organise an information audit.

Immediate steps:

• Create a registry of all data held

• Modify data processing

agreements

• Contact vendors requesting a

plan for their GDPR compliance

• All data controllers and

processors should sign a new

DPA

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should document what personal

data you hold, where it came from

and who you share it with. You may

need to organise an information audit.

Immediate steps:

• Create a registry of all data held

• Modify data processing

agreements

• Contact vendors requesting a

plan for their GDPR compliance

• All data controllers and

processors should sign a new

DPA

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should review your current

privacy notices and put a plan in place

for making any necessary changes in

time for GDPR implementation.

Immediate steps:

• Privacy Policy

• Review the data privacy detail on

your website

• Create information posters

• Modify patient information leaflets

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should check your procedures to

ensure they cover all the rights

individuals have, including how you

would delete personal data or provide

data electronically and in a commonly

used format.

Immediate steps:

• Create/review Retention policy

• Department by department

deletion plan

• On the data registry log and

maintain the last purge date

• Process to handle data

inaccuracies

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should check your procedures to

ensure they cover all the rights

individuals have, including how you

would delete personal data or provide

data electronically and in a commonly

used format.

Immediate steps:

• Create/review Retention policy

• Department by department

deletion plan

• On the data registry log and

maintain the last purge date

• Process to handle data

inaccuracies

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should update your procedures

and plan how you will handle requests

within the new timescales and provide

any additional information.

Immediate steps:

• SAR process mapping

• Review the current volume of

SAR

• Extra resources to handle

increased workload

• Process for updating patient

records

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should update your procedures

and plan how you will handle requests

within the new timescales and provide

any additional information.

Immediate steps:

• SAR process mapping

• Review the current volume of

SAR

• Extra resources to handle

increased workload

• Process for updating patient

records

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should look at the various types

of data processing you carry out,

identify your legal basis for carrying it

out and document it.

Immediate steps:

• Review the data registry in

relation to the proposed use

stated on the consent form

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should look at the various types

of data processing you carry out,

identify your legal basis for carrying it

out and document it.

Immediate steps:

• Review the data registry in

relation to the proposed use

stated on the consent form

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should review how you are

seeking, obtaining and recording

consent and whether you need to

make any changes.

Immediate steps:

• The Data controller must

demonstrate that consent was

given

• Review admissions process

• Review auto responses to

referrals etc

• Ensure detailed consent is

statement is clear available online

• Will you pass a DPC remote

review?

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should review how you are

seeking, obtaining and recording

consent and whether you need to

make any changes.

Immediate steps:

• The Data controller must

demonstrate that consent was

given

• Review admissions process

• Review auto responses to

referrals etc

• Ensure detailed consent is

statement is clear available online

• Will you pass a DPC remote

review?

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should start thinking now about

putting systems in place to verify

individuals’ ages and to gather

parental or guardian consent for the

data processing activity.

Immediate steps:

• Activate any Safeguard software

that my be available within your

IS

• Have particular policy sections

pertaining to the requirements of

Children's needs

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should make sure you have the

right procedures in place to detect,

report and investigate a personal data

breach.

Immediate steps:

• Process map the breach policy

• Software to detect breaches

• Breach notification duty to the

Supervisor authority (72 hours, All

cases)

• Review notification process for

data subjects

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessData privacy needs to be at the heart

of all future projects.

Immediate steps:

• DPIA to be performed on all

projects that might impact on the

privacy of individuals.

• Document the process and

publish report

• DPIA risk mitigation process

• What do we do when a DPIA

indicates a risks that can’t be

mitigated?

• Perform retrospective DPIA on

existing systems?

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessYou should designate a Data

Protection Officer, if required, or

someone to take responsibility for

data protection compliance and

assess where this role will sit within

your organisation’s structure and

governance arrangements.

Immediate steps:

• Liaise with hospital management

on the DPO post

• Discuss options with other

hospitals and forums

• ?Plan – DPO committee

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|

The next 6 months?

AwarenessIf your organisation operates

internationally, you should determine

which data protection supervisory

authority you come under.

Immediate steps:

• Review any clinical or operational

pan European initiatives – e.g.

Liver transplant service

• Ethics and Medical Research

impact

Information you hold

Communicating privacy information

Individuals’ rights

Subject access requests

Legal basis for processing personal data

Consent

Children

Data Breaches

Privacy by design

Data Protection Officer

International

|GDPR|Demonstrating & Maintaining Compliance

Not only do organisations have to comply with the GDPR, they also have to be able to demonstrate compliance

Process mapping

Software application to manage GDPR

• Fully reviewed SAR pathway

• Mapped GDPR pathway

• Mapped FOI pathway

• Mapped ROI pathway

• Mapped DP breach process

• All to be available in our privacy statement and accessible on our website

• Manages SAR, Data Registry, Breach Process, Retention Policy, Stats package etc.

|GDPR|Process mapping - SAR

|GDPR|Process mapping – DP Process

|GDPR|Process mapping – FOI Process

|GDPR|Process mapping – DP Breach Process

|GDPR|GDPR Application

|GDPR|

Thank You