From May 25, 2018, the General Data Protection Regulation (GDPR) will significantly change the way healthcare organisations use and store all their personal information. The changes for data protection will be the biggest across Europe since 1995 and the UK since the Data Protection Act (DPA) in 1998. Most data security professionals agree it’s a radical change and long overdue.
Keeping confidential information about staff and patients secure is a responsibility all healthcare providers have taken seriously for years. Indeed, the DPA underpins much of the GDPR, but with a crucial difference; while organisations were encouraged to comply with the DPA in case of data breaches (and many were fined if they were found to be negligent following a breach), now all organisations that hold, control or process personal data, including health and social care organisations, are legally bound to comply. So while the DPA encouraged best practice, the GDPR enforces compliance.
This difference has huge implications for big and small healthcare organisations that will now have to grapple with the idea of creating GDPR awareness across their entire staffing regime, out into third sector partnerships and beyond.
If the Information Commissioner’s Office (ICO) is called in to investigate an organisation for any number of reasons, that organisation will have to show the measures it’s taken to ensure compliance. If a data breach occurs and a trust does not follow the necessary compliance framework, the ICO will be obliged to issue a fine.
The level of the fine will depend on the type and scale of the breach and on the extent to which an organisation can show that it has attempted to adhere to the GDPR requirements or has sought to correct any identified lapse.
Under the GDPR, the maximum for a lower, tier 2 fine is £8 million or 2% of the organisation’s annual global turnover, whichever is higher. Or, if the organisation has shown disregard for GDPR, a higher tier could take fines up to £18 million or 4% of annual turnover, whichever is higher.
Generally, breaches of controller or processor obligations, or failure to notify the ICO of a breach within 72 hours could be subject to a fine within the lower tier, while breaches of data subjects’ rights and freedoms will result in the higher level of fine.
Healthcare organisations will not be exempt from such fines if they’re found to be negligent around storing and processing data.
The ICO has repeatedly said it will not deliberately scapegoat organisations for non-compliance and fines will be dissuasive rather financially crippling. Nevertheless, the ICO has also said that negligence will be met with the full force of the law. In essence, don’t panic; but do panic if you fail to take the GDPR seriously.
It’s not just the slap on the wrist that worries many managers and directors. It will also involve reputational damage that could be far worse than the fine itself, particularly as most organisations are part of a larger framework of healthcare providers. If any part of this framework is found to be failing in its duties to comply with the regulation, the knock-on effect will be felt by everyone.
So the GDPR is to be taken very seriously.