@aestheticsgroup
Aesthetics Journal
Aesthetics aestheticsjournal.com
by the clinic (within its network, website, computer/phone devices and patient files), has been rendered unintelligible to any third party, for example, when a file has been embedded with an encryption, the obligation to notify the ‘data subjects’ is less onerous than when there is no encryption of the data. This means that you will still have to notify them, but if it’s encrypted you won’t have to send exact details of what has been compromised and what measures you are putting in place to monitor it.
Getting Ready for GDPR Medical malpractice and risk specialist Martin Swann provides an introduction to the new data protection legislation, sharing his five top tips to prepare practices for compliance The new European Union (EU) General Data Protection Regulations (GDPR) come into force on May 25 2018, meaning that the time for your practice to fully understand what’s coming and plan is now! GDPR is compulsory for all businesses and is arguably the most significant amendment to data protection regulations for more than 20 years. Brexit is not going to remove these obligations; Theresa May has made clear that EU law will translate into our own domestic regulations5 and burying our heads in the sand won’t make it go away.
new regulations. Mandatory compliance will come into force from May 2018 and will replace the current Data Protection Act 1995 (DPA).7
About GDPR
Notifications: Mandatory notifications for all businesses in the event of a breach or loss. For example, loss or theft of a client file, malware, unauthorised access to the clinic’s network, loss of a mobile phone, laptop or data stick that has client data on its hard drive. Breaches must be reported to the regulator without undue delay and, where feasible, within 72 hours of becoming aware. Each country will appoint its own regulator; the UK’s is currently the UK Information Commissioner’s Office (ICO), however it has not yet been confirmed if this will remain so once the GDPR regulations come into force. There will also be an obligation to notify the ‘data subject’, which could be a patient or client of the breach. Where the data held
The EU GDPR was first introduced by the European Parliament in 2012.6 The intention of the new regulation was to strengthen data protection across the EU, unifying the protection of the personal data for its citizens and residents including the export of data outside the EU. One of the primary objectives of the GDPR was to give control back to individuals over the collection and use of their personal data. The aim was to simplify the regulatory environment for business trading internationally by unifying the regulation within the EU. The new GDPR regulations became law on April 27 2016,2 but businesses were given a two-year transition period to get themselves ready for compliance with the
What is changing? One of the first things to make clear about these new regulations is that no business is exempt. The regulations bring in many significant changes that practitioners and clinic owners will need to understand and plan for before they are applied in 2018. These changes include:2
Consent: Increased requirements for consent of personal data. Data subjects must already express their permission for the business to hold their data, but consent from the patient must now be more detailed and you have to have explicit consent for its exact use. This consent must also be easily withdrawable.2 Plan: Implied obligation for all businesses to have a plan/process for dealing with breaches and data losses. Some professions, such as those who have a professional regulatory body, do have this obligation already, but the fines and penalties now are much more punitive. The company’s plan needs to include a process for identifying how the breach occurred, what data was compromised, a strategy for notifying the data subject and regulators, and fixing/mitigating the vulnerabilities that caused the breach (if any). Mitigation: Increased obligations around security of data, including ongoing mitigation in regards to risks of a breach such as penetration testing, vulnerability sweeps, staff training, updating virus software and data encryption. This is usually undertaken by your IT provider/support company or third party, however some larger clinics may manage this in-house. Data processors: Increased administrative requirements and obligations for data processors; including the ability to be able to provide a full audit trail for data held. Personal data: Definitions of what is considered personal data has now become more specific. More information of this is outlined in the regulations.2 DPO: Some businesses may now need to appoint a data protection officer (DPO), such as if you are a public authority or carry out large scale systematic monitoring of
Reproduced from Aesthetics | Volume 4/Issue 8 - July 2017