GDPR - GPC - Blog 2
GDPR part two, the story continues
Blog two of the series! Having said hallo in my first blog (https://www.bma.org.uk/connecting-doctors/the_practice/b/weblog/posts/gdpr-for-gps-from-the-it-lead-for-gpc) this is a sort of setting the scene post, a bit of background, and an offer of a plan for the next few weeks.
Many ask “Why GDPR?”
Well the original EU Directive, (full Title for the nostalgic; “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”), as it said on the tin, was written in 1995. Oasis were number one with “Some might say”, I was 38 in my first session on what was then called the General Medical Services Committee. Amazon had only been trading for a year and only sold books, Mark Zuckerberg was 11, another 9 years before he’d go up to Harvard and launch “The Facebook”. The world marvelled at the Blackberry thumb-wheel and Apple would ferret away in their labs another twelve years before emerging with the first iPhone. Uber and AirBNB hadn’t even been dreamt about. In short the DPA was very much pre “social media / digital revolution” and although undoubtedly ahead of its time there’s no way it could have pre-empted what’s happened since. We’ve come a long way in those 20+ years, much to our very great advantage but not always. Occasionally adverse, our experience of our disseminated digital, direct and instantaneous world demanded a refresh and update. GDPR is that refresh. Its ethos is simple, to provide for EU residents, “respect (for) their fundamental rights and freedoms, in particular their right to the protection of personal data”. Basically GDPR tightens up on many of the elements of the 1998 DPA, enhances the existing rights of Data Subjects (DS) and creates new ones that were not anticipated in the original. Data Controllers (DCs), in the context of this blog, GPs, get stronger support for declining data extracts as well as new responsibilities and as Data Controllers (DCs) we must comply with the new laws and must be able to demonstrate compliance rather than just be aware of them. Finally, the consequences of non-compliance or breaching have changed.
OK that’s GDPR so what’s this DPA2018 I’ve heard about?
GDPR also allows individual countries some flexibility (derogations) in some aspects of the law and these will be made law in the Data Protection Act currently going through parliament as the Data Protection Bill (House of Commons) which you can track* here https://www.parliament.uk/business/news/2018/march/have-your-say-on-the-data-protection-bill/ . GDPR will stand alone but will be supplemented in the UK by the new act which will repeal the 1998 and 2003 Data Protection Acts. In this blog “GDPR” means GDPR and DPA2018 taken together.
GDPR becomes law on 25th May 2018, does all of this have to be in place by then?
Well yes and no. Technically yes because it will be the law of the land but in reality unlikely. The ICO has stated “GDPR compliance will be an on-going journey”; and that they will be “proactive and pragmatic” about the “real world” practices find themselves in. If you are already following good practice under the DPA 98 and are taking reasonable steps to implement GDPR using guidance, such as the BMA’s or this blog its unlikely the ICO will be on your doorstep on 26th May, if for no other reason than they don’t have the requisite 10,000 inspectors. You will however need to have at least started a plan and that’s where this blog comes in, to help GPs and their practice managers with that plan. I’m aiming, providing my career isn’t destroyed by the GMC in the meantime, to produce a weekly blog, each one focussing on pragmatic practical stuff that we GPs need and crave.
Next week – the low down on DATA PROTECTION OFFICERS.
Dr Paul Cundy
14th March 2018