We’re all going to have to change how we think about data protection. This is the key message the Information Commissioner, Elizabeth Denham, made clear earlier this year when she referred to the implementation of the European General Data Protection Regulation (GDPR), which will take place on 25th May 2018 and apply to all businesses. The GDPR will have a major effect on how veterinary practices should manage data.
The GDPR will provide harmonisation of data protection law across the member states of the European Union. This will allow EU citizens to understand how their data are being processed and, if necessary, raise a complaint, which can take place in any EU country. The purpose of the new legislation is to bring greater accountability and transparency to businesses that hold personal data.
The GDPR will affect your practice if it holds, uses and maintains individuals’ data. For instance, if it:
1. maintains employees’, suppliers’ or any other individuals’ data on its IT systems and paper records (including payroll)
2. sends updates or marketing correspondence in any format to clients or any prospective clients
How to ensure your practice is compliant
Key decision-makers within a veterinary practice must be aware that the current data protection law is changing to the GDPR and staff should be aware of their rights and responsibilities. Practically speaking, this may involve appropriate training and, on a higher level (if your business has more than 250 employees), some practices may need to hire or instruct a data protection officer to help advise the practice. In addition, your practice must document the personal data it holds. This means it should be aware of where the data came from, where they are kept and who they are shared with. The GDPR requires businesses to maintain records of these activities. It may therefore be necessary for your practice to organise an information audit to ensure compliance. Data processing that could put data at risk may need to undergo a Data Protection Impact Assessment to help the practice identify the most effective way to comply with the new requirements.
The GDPR also requires businesses to give individuals further information on the data it holds. In addition to giving its identity and explaining how it will process an individual’s data (usually done through a privacy notice), under the GDPR, it needs to explain:
1. its lawful basis for processing the data
2. its data retention periods
3. to individuals that they have a right to complain to the Information Commissioner’s Office if necessary Individuals have a number of rights under the GDPR, including: the right of access, the right to rectification, the right to erasure and the right to data portability. Your practice will need to ensure it is prepared to respond to individuals should the need arise.
In addition, under the GDPR, an individual is still entitled to make a subject access request to view their personal information. Your practice will have a month to comply with the request (rather than 40 days) and there will no longer be a fee payable by the applicant.
A pivotal change will be obtaining individuals’ consent when processing data. This would apply, for instance, should your practice wish to send marketing emails and texts, updates or reminders to clients. Prior to the GDPR, implied consent was considered sufficient. Under the GDPR, consent must be freely given, specific, informed and unambiguous. Practices must offer individuals a positive opt-in, like a form with the option of ticking a box for consent, rather than a pre-ticked box. In addition, consent must be kept separate from other terms and conditions.
What are the consequences of failing?
The Information Commissioner’s Office (ICO) will be given considerable power when it comes to fining organisations that breach the GDPR. The maximum fine will rise to 4% of global annual turnover or €20 million, whichever is the greater, from the current maximum fine of £500,000.
Fines are being issued on a more regular basis; Elizabeth Denham stated earlier this year that “last year we issued more than £1 million in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use”.
What will happen after Brexit?
The government has confirmed its intention to bring the GDPR into English law, and that this would not be affected by Brexit. Post-Brexit, while we are unable to comment with any certainty, the intention is that the GDPR framework will be amended as is deemed necessary.