|GDPR|
What is GDPR?
A massive opportunity for hospitals…
• The next 6 months
• Maintaining compliance
…The trouble with opportunity is that
It comes disguised as hard work!
I will be covering
|GDPR|
The next 6 months?
Awareness
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should make sure that decision
makers and key people in your
organisation are aware that the law is
changing to the GDPR. They need to
appreciate the impact this is likely to
have.
Immediate steps:
• Data Governance Committee
• Awareness Plan
• Mandatory DP training
• GDPR Strategy
• GDPR added to EMT agenda –
Impact Fines, Litigation etc.
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should document what personal
data you hold, where it came from
and who you share it with. You may
need to organise an information audit.
Immediate steps:
• Create a registry of all data held
• Modify data processing
agreements
• Contact vendors requesting a
plan for their GDPR compliance
• All data controllers and
processors should sign a new
DPA
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should document what personal
data you hold, where it came from
and who you share it with. You may
need to organise an information audit.
Immediate steps:
• Create a registry of all data held
• Modify data processing
agreements
• Contact vendors requesting a
plan for their GDPR compliance
• All data controllers and
processors should sign a new
DPA
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should review your current
privacy notices and put a plan in place
for making any necessary changes in
time for GDPR implementation.
Immediate steps:
• Privacy Policy
• Review the data privacy detail on
your website
• Create information posters
• Modify patient information leaflets
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should check your procedures to
ensure they cover all the rights
individuals have, including how you
would delete personal data or provide
data electronically and in a commonly
used format.
Immediate steps:
• Create/review Retention policy
• Department by department
deletion plan
• On the data registry log and
maintain the last purge date
• Process to handle data
inaccuracies
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should check your procedures to
ensure they cover all the rights
individuals have, including how you
would delete personal data or provide
data electronically and in a commonly
used format.
Immediate steps:
• Create/review Retention policy
• Department by department
deletion plan
• On the data registry log and
maintain the last purge date
• Process to handle data
inaccuracies
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should update your procedures
and plan how you will handle requests
within the new timescales and provide
any additional information.
Immediate steps:
• SAR process mapping
• Review the current volume of
SAR
• Extra resources to handle
increased workload
• Process for updating patient
records
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should update your procedures
and plan how you will handle requests
within the new timescales and provide
any additional information.
Immediate steps:
• SAR process mapping
• Review the current volume of
SAR
• Extra resources to handle
increased workload
• Process for updating patient
records
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should look at the various types
of data processing you carry out,
identify your legal basis for carrying it
out and document it.
Immediate steps:
• Review the data registry in
relation to the proposed use
stated on the consent form
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should look at the various types
of data processing you carry out,
identify your legal basis for carrying it
out and document it.
Immediate steps:
• Review the data registry in
relation to the proposed use
stated on the consent form
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should review how you are
seeking, obtaining and recording
consent and whether you need to
make any changes.
Immediate steps:
• The Data controller must
demonstrate that consent was
given
• Review admissions process
• Review auto responses to
referrals etc
• Ensure detailed consent is
statement is clear available online
• Will you pass a DPC remote
review?
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should review how you are
seeking, obtaining and recording
consent and whether you need to
make any changes.
Immediate steps:
• The Data controller must
demonstrate that consent was
given
• Review admissions process
• Review auto responses to
referrals etc
• Ensure detailed consent is
statement is clear available online
• Will you pass a DPC remote
review?
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should start thinking now about
putting systems in place to verify
individuals’ ages and to gather
parental or guardian consent for the
data processing activity.
Immediate steps:
• Activate any Safeguard software
that my be available within your
IS
• Have particular policy sections
pertaining to the requirements of
Children's needs
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should make sure you have the
right procedures in place to detect,
report and investigate a personal data
breach.
Immediate steps:
• Process map the breach policy
• Software to detect breaches
• Breach notification duty to the
Supervisor authority (72 hours, All
cases)
• Review notification process for
data subjects
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessData privacy needs to be at the heart
of all future projects.
Immediate steps:
• DPIA to be performed on all
projects that might impact on the
privacy of individuals.
• Document the process and
publish report
• DPIA risk mitigation process
• What do we do when a DPIA
indicates a risks that can’t be
mitigated?
• Perform retrospective DPIA on
existing systems?
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessYou should designate a Data
Protection Officer, if required, or
someone to take responsibility for
data protection compliance and
assess where this role will sit within
your organisation’s structure and
governance arrangements.
Immediate steps:
• Liaise with hospital management
on the DPO post
• Discuss options with other
hospitals and forums
• ?Plan – DPO committee
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|
The next 6 months?
AwarenessIf your organisation operates
internationally, you should determine
which data protection supervisory
authority you come under.
Immediate steps:
• Review any clinical or operational
pan European initiatives – e.g.
Liver transplant service
• Ethics and Medical Research
impact
Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Consent
Children
Data Breaches
Privacy by design
Data Protection Officer
International
|GDPR|Demonstrating & Maintaining Compliance
Not only do organisations have to comply with the GDPR, they also have to be able to demonstrate compliance
Process mapping
Software application to manage GDPR
• Fully reviewed SAR pathway
• Mapped GDPR pathway
• Mapped FOI pathway
• Mapped ROI pathway
• Mapped DP breach process
• All to be available in our privacy statement and accessible on our website
• Manages SAR, Data Registry, Breach Process, Retention Policy, Stats package etc.