CIOs: Is your health organisation ready for the GDPR?
UK Information Commissioner Elizabeth Denham has described the implications as 'the biggest change to data protection law for a generation' but most current data practices are being strengthened rather than overturned. CIOs still have time to ensure their organisation is prepared before the regulation comes into force on 25 May 2018.
Teams need to initially develop a readiness plan for the General Data Protection Regulation (GDPR). This will likely comprise representatives of legal, IT and HR with support from staff from other departments.
They then need to identify all of the data held in the organisation, with particular care taken with sensitive information. They then need to document all the data, recording the purpose for its use, the location where it's stored, and the names of anyone who has access to it.
Procedures must be put in place for any data processing. Current practices may no longer be sufficient, as the GDPR includes a number of new or strengthened data subject rights.
The new list of individual rights includes:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Organisations should evaluate their current data governance practices, and document the lawful basis for any processing. Any aspects that are now inadequate should be updated as required. Take note of how data flows across international borders.
Be careful to ensure that any children's data is used appropriately and that all consent is still suitable, as the requirements for both have been significantly strengthened.
The European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet with Q&As on the GDPR which you can access here.