Changes to the way data is held and processed are now in place since the adoption of GDPR legislation which came into force on the 25th May. Unless you have been living on a desert island somewhere, you could hardly have failed to notice this given the plethora of emails flooding our inboxes these past few weeks.
As with any great legislative change that impacts directly on practice, healthcare professionals may once again be prone to the stress that such moves invariably induce. However, while it is necessary to comply with all legislation, it is easily achievable without a big headache if we follow the right process and alongside our planning, take time to think about the underlying principles of why this law came into being and what it aims to protect.
We have always had a duty to protect personal data of any patient. Now our roles and obligations have changed a little, such as the need for appointing Data Protection Officers. In addition, this definition of what is considered personal data has become broader. However, this alone should not ring alarm bells unduly. For example defining criteria such as biometric data and Internet Protocol Address (IP address) as now being personal data, should have minimal overall bearing on those that don’t store or use such data (besides perhaps doing a risk assessment to ensure this is the case).
It is therefore understandable why the well-known online monoliths that use widespread personal data processing and algorithm-based marketing, including your IP address as a marker, see this piece of legislation as challenging to their business model. Or more accurately a barrier that stops targeted emailing or website customization to those that simply don’t want to be pitched to endlessly like a cast member of the Dragon’s Den.
I think this is one of the main points (albeit far from the only difference, to observe). This law will essentially offer greater overall data protection to everyone and gives individuals greater control over who sees their data and what is done with it. It is building on measures that should already be in place to protect data protection but is by no means the end result in itself.
This is echoed by the Information Commissioner, Elizabeth Denham who recently commented on a radio show that her department is not expecting initial perfection but a commitment to moving forward and are not looking to make examples of small businesses. GDPR is not the end of the process and neither should its implementation be according to Denham.
If you are a small business and looking to ensure compliance with the new GDPR law, Pharmacy Consulting Ltd can help you take steps in the right direction to achieve this.