The General Data Protection Regulation (GDPR) is a new set of EU rules which will replace the existing Data Protection Act and will become law in the UK on May 25, 2018.
The new rules will require all organisations which process personal data, including the NHS and independent health organisations, to meet strengthened standards for data protection.
Many of the main requirements of GDPR are similar to those in the current Data Protection Act - however there are a number of new elements which may need significant changes in the way organisations handle data.
These include:
-
The requirement, where appropriate, to appoint a Data Protection Officer
-
Organisations will be obliged to demonstrate that they comply with the new law
-
Significantly increased penalties possible for any breach of the Regulation - not just data breaches
-
A legal requirement for security breach notification within 72 hours
-
The removal of charges, in most cases, for providing copies of records to patients or staff who request them and a new timescale to provide this within one calendar month
-
The requirement to keep records of data processing activities
-
Increased rights of the data subject
Sector-specific information for health organisations has been published by the Information Governance Alliance (IGA) on their website to try and support the transition. This includes a GDPR checklist, FAQ section and general advice with links to further information.
The information is available here: https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance