GDPR - What you need to know and how it affects your business

GDPR. It’s been a hot topic for a lot of people for some time now. We’ve all heard about it, but with its introduction now looming, it’s well worth reminding ourselves what exactly it is, why it’s coming in and how it might affect us all in the healthcare industry...

What is GDPR?

For some time now, the UK has sought to protect the privacy and integrity of people’s data under the Data Protection Act. While it’s been effective for the main part up until now, it’s not proven all that robust and effective in dealing with the ever-changing world of digital data. In order to offer more security for everyone’s information, GDPR (General Data Protection Regulation) has been designed and set to replace the Data Protection Act.

Rules around data privacy do currently hint at the responsibility that organisations have when it comes to handling and storing people’s data. But GDPR is designed to really encourage accountability and ensure that data protection is a much more proactive process.

It’s a European Union directive that is set to apply to all EU member states and is due to come into action on the 25th of May. Once in force, individuals should be given far greater control over their data and who has access to it. It should also stamp down on the abuse of people’s data and provide a standardised framework for everyone across all major European countries to adhere to.

What's changing?

Because one of the main focuses of GDPR is accountability, one big change heading our way is that organisations will be expected to actually demonstrate adherence to the rules. It will no longer just be assumed that the regulations are being followed. There needs to be proof of it.

Following GDPR isn’t just the box-ticking exercise of making sure you doing everything that’s asked of you. It requires more than just simple compliance. Full documentation must be kept and made available that states the reasoning behind keeping of data of any EU resident.

Organisations will no longer be able to repurpose information about someone in order to use it for direct marketing, either. Not without specific consent being given by the individual, at least.

It will be easier for people to withdraw consent with regards to organisations handling and using their private information. It’ll also become harder for those organisations to obtain and retain data without a specific and expressed reason. Any use of data without approval or consent will be a breach of the regulations.

Data Controllers and Data Processors

What you’re exactly required to do to follow the new regulations will depend on whether you qualify as a ‘data controller or a ‘data processor’. You could even fit into both categories.

Article 4 of the GDPR guidelines explains the differences between the different roles like this:

• ‘The data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’

• ‘The data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’

So the controller is the organisation that retains and uses the information, effectively ‘owning’ the data and dictating how it’s used. Whereas the processor is generally the third party that uses the data for tasks on behalf of the controller. So at Cegedim Rx, we’re the data processors and those of you that own and run pharmacies are the data controllers. This means that we are obliged to follows security protocols, but ultimately it’s the pharmacies’ responsibility to ensure that GDPR regulations are being fully complied with.

What does it means for your business?

Well, hopefully it shouldn’t be quite as huge an overhaul as it is for other industries. Most healthcare practises, because they already deal with sensitive medical information about patients will already operate fairly robust security when it comes to data.

Healthcare practises need to take GDPR seriously. Fines for data breaches and non-compliance can be enough to make a significant impact on the business, meaning the incoming regulations are not to be ignored or dismissed as unimportant.

Compliance should not just be viewed as a chore. The kind of data that healthcare practises retain isn’t just generic information like email addresses or shopping preferences. Just think of all the in-depth patient data you may be in receipt of. Some of it really quite personal information. Healthcare practises have a real duty to ensure than this information is handled in the correct way and that security is and remains a priority.  

What your business should do to prepare

At this stage, you should have already begun implementing changes to ensure that GDPR compliance will not be a problem come May 25th. If you haven’t, the issue needs to be addressed immediately. If your business is large and complex enough, perhaps employing a Data Protection Officer or hiring a consultant temporarily is the way to ensure compliance.

If your company is quite small however and GDPR isn’t going to be a huge issue, it makes sense to assign an employee the responsibility. Or assume it yourself.

As healthcare practises are data controllers, they must be crystal clear about what their legal basis is for any processing of patient data. That includes the collecting, recording, retrieving, using and retention of patient data. They also have a responsibility to report any data breaches to the The Information Commissioner’s Office.

What Cegedim have done to prepare for GDPR

The dispensing software and clinical services delivery platforms that we run, helping healthcare practises all across Britain, process millions of patients’ every single day. So we have a huge responsibility to manage that - often quite sensitive - information in a safe and controlled manner. It’s a responsibility that we take very seriously indeed and as such we’ve ensured that we are as GDPR compliant as possible.

We welcome the tightening of the rules and believe that people have fundamental rights when it comes to the correct use of their private data. That’s why we’ve always adhered to the strict rules of the Data Protection Act and will strive to follow GDPR guidelines and rules at all times. We also have ISO 27001 certification, meaning our information risk management processes have been fully checked and approved by an accredited certification and auditing body.

It’s important that GDPR is taken seriously, carefully considered and actioned. We’ve done our level best to ensure that we are fully and completely compliant with the new rules by May 25th. If you’re unsure how in line you’ll be with the incoming regulations, it’s best to seek external advice and ensure you’re as compliant as possible.

The Information Commissioner’s Office are the best people to speak with initially. They're an independent public body that report directly to Parliament and were set up in order to uphold information rights entirely in the public interest, promote openness by public bodies and protect data privacy for private individuals. They're a great place to start. 

You can also find advice in GDPR workbooks provided by PSNC, Community Pharmacy Scotland and LOCSU.