Article 13 out of 2276
Care home owners have until 25 May to ‘get their house in order’ to ensure they can prove how they are protecting people’s data.
Data has a value. It may even be the new oil and we all, as individuals, are being mined. Tech companies like Facebook are not the only organisations getting scrutinised for how they protect people’s data.
A new law for data protection which will apply in the UK from 25 May 2018, will see the enforcement of GDPR (General Data Protection Regulation) across the European Union.
The Government will repeal the current Data Protection Act (DPA) 1998 on 24 May 2018 and will see six principles replace the DPA’s eight principles.
The six principles focus on accountability – that is evidence that organisations big and small (including care homes) are protecting people’s data by demonstrating they are adhering to data privacy.
One consultant has dubbed GDPR as a chance for care providers to start “Giving Data Proper Respect”.
Gary Hibbard, managing director of consultancy Agenci speaking at the Dementia Care and Nursing Expo 2018 said: ”We are suffering from information obesity. It’s time to go on a diet. It’s time to get healthy”. This includes removing any data the organisation does not need to keep.
“25 May 2018 is coming. The ICO is not going to come and knock on your door the next day, but GDPR will be enforceable so you must have evidence you can back up” [to show you adhere to data protection].
Companies which breach GDPR can expect hefty fines of up to four per cent of global turnover or 20 million Euro (whichever is the higher).
But he advises: “Build evidence of compliance and don’t panic”.
Companies need a clear process for managing data breaches and breaches must be notified to the Information Commissioner's Office (ICO) within 72 hours. It will, from 25 May, be mandatory to report data security breaches to the information commissioner, rather than simply good practice.
The ‘data subject’ has additional rights which include the right to be forgotten. Care providers will need to seek consent to store the information held - and this is retrospective. Organisations that monitor and track behaviour must appoint a data protection officer and will need to conduct data protection impact assessments.
GDPR stays Post-Brexit
Companies will be obligated to inform individuals about why they are collecting their personal data, how it is going to be used and with whom it is going to be shared. Although GDPR is a piece of EU law, the Government has made it clear that the UK will remain signed up.
Organisations are being encouraged to identify their data, clean their data, review their policies, contracts, processes and agreements and understand how the data is protected.
For more details, visit the ICO website to check out its 12 steps and GDPR assessment toolkit.