One Month to Go Until GDPR – is your Social Care Company Ready?
We’re on the one month countdown to the introduction of one of the biggest shake-ups in data protection for a generation. The EU General Data Protection Regulations (GDPR) will apply in the UK from 25 May 2018; the Data Protection Act 2018 will bring the GDPR into UK law and completely replace the Data Protection Act (1998). The UK Government has confirmed that the GDPR will be a legal requirement and example of best practise in the UK, even after Brexit. Here’s another chance to read our blog on how GDPR will impact upon social care organisations.
As with all large scale changes, it’s best to be prepared. If you need assistance in navigating the switch to GDPR, at Insequa we provide training, ready to go GDPR policies and support and advice to help you and your organisation through the maze of new regulations. Call us on 0115 896 3999 if you need our help.
How will this affect social care providers?
The new legislation will have a significant impact on the Social Care Sector, given the increased focus on accountability, the proposed changes to what counts as ‘Personal Data’, and the new requirement to appoint an internal Data Protection Officer – who will be responsible for ensuring compliance with the new regulations.
The GDPR’s data protection principles set out the main responsibilities for organisations. These principles are similar to those in the DPA, with added detail at certain points and a significant new accountability requirement. The GDPR will require organisations to demonstrate how they comply with the principles – for example by documenting the decision-making process regarding data processing activities.
To demonstrate their compliance with the GDPR, social care providers will be required to:
- Implement appropriate technical and organisational measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Implement measures that meet the principles of data protection by design and data protection by default.
- Adhere to approved codes of conduct and/or certification schemes.
As well as the obligation to provide comprehensive, clear and transparent privacy policies if an organisation has more than 250 employees, it is required to maintain additional internal records of all processing activities.
Organisations with less than 250 employees are required to maintain records of activities related to higher risk processing; such as personal data that could result in a risk to the rights and freedoms of an individual.
The GDPR still applies to the protection of ‘personal data’ but compared the DPA, the GDPR’s definition of what constitutes personal data is more detailed. This expanded definition of what is classed as personal data covers a wide range of personal identifiers, i.e. an online picture; reflecting the ever-changing technologies and techniques whereby organisations collect information.
The GDPR also applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria; i.e. manual records kept in chronological order. This is a more comprehensive definition than the DPA’s and will especially relate to social care providers.
It is important to note that personal data that has been pseudonymised can fall within the scope of the GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual.
Data Protection Officer
Under the GDPR, certain organisations must appoint a Data Protection Officer (DPO). These include organisations who carry out large scale systematic monitoring of individuals, i.e. social care providers.
The DPO’s minimum tasks include:
- To inform and advise regarding obligations to ensure compliance
- To monitor compliance with the GDPR
- To be the first point of contact for supervisory authorities and Service Users
The DPO must report to the highest management level of the organisation and be allowed to operate independently. Organisations who do not appoint a DPO will still be required to comply with GDPR, and demonstrate their compliance if required.
Preparing for Compliance with GDPR
ICO have recently released a document entitled Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now – it is a checklist of the 12 steps which they recommend organisations take to prepare for the introduction of the GDPR. It is important to plan for the introduction of the GDPR, as there may be a need to put new procedures in place to cover the new requirements for Data Protection compared to those required by the DPA; for example, the increased emphasis on the documentation required to demonstrate an organisation’s accountability and compliance with the GDPR.
GDPR is not something to be overly anxious about, but it is ultimately something that all organisations need to be aware of and ensure that they are prepared for. Here at Insequa we can help you prepare. Our team of social care experts can support care providers in navigating the choppy waters of the sector – if you have need of assistance with GDPR changes, or want support with tender writing, compliance software, policies, CQC audits or any other areas related to the business of social care, give our friendly and knowledgeable team a call on 0115 896 3999. Here at Insequa we offer a number of solutions to GDPR headaches – including staff training sessions and presentations and GDPR policies written especially with social care in mind. Our friendly team of experts are waiting for your call – they’re always happy to chat, so don’t hesitate to pick up the phone.