The Importance of GDPR In Healthcare

GDPR was enacted by the European Union in 2018 to protect the personal data of its citizens. To ensure that the UK continued to offer similar protections within its borders, post-Brexit, the Data Protection Act 2018, or UK GDPR, was also released the same year. Both versions are basically the same, with the same intent and rules.

In simple terms, the GDPR controls how organisations use and collect personal information and gives people the right to access how their data is used. The GDPR also stipulates that an organisation must meet specific criteria or have a user’s consent before storing or processing personal data.

In 2021, the Information Commissioner’s Office (ICO) reported that 3,557 personal data breaches occurred in two years across a range of healthcare providers. Most incidents occurred in NHS facilities.

Further investigations in 2022 have revealed that tens of thousands of NHS patients have had their data breached. Sensitive information on patients’ home addresses and their health status was shared with unrelated third parties.

While no specific GDPR charges have been brought, criminal charges are still being considered. Affected patients can sue providers in court. Claimants can be awarded between £2,000 and £10,000 in damages.

The ICO has stated that an average of two NHS employees per day are being penalised for GDPR breaches.

The GDPR has serious implications for healthcare providers. Workers often deal with vulnerable people who aren’t able to understand how their information is being used or give consent for the use or disclosure of sensitive personal data.

All healthcare providers and facilities must prove that they adequately protect their patients’ personal information. This means they must take steps to comply with GDPR requirements.

Meeting the GDPR requirements for healthcare means ensuring the integrity of all data by implementing cyber security measures and incident response plans that will protect core functions and critical infrastructure in the event of a cyber-attack or security breach.

The advice in a GDPR compliance checklist should be based on official guidance for NHS facilities, social care facilities and other healthcare providers. While the GDPR requirements for healthcare can initially seem daunting, compliance can be achieved by ensuring the following measures are taken.

All healthcare organisations must develop and implement a GDPR compliance plan that meets six accountability requirements.

Healthcare providers must:

• Know who is responsible for developing and implementing the GDPR compliance plan
• Perform a gap analysis of its current compliance status and act upon the recommendations
• Develop a timeline for the implementation, review and auditing of compliance measures
• Ensure that all stakeholders at the highest levels of the organisation support GDPR compliance
• Educate all staff about their responsibilities under GDPR
• Take steps to make sure that all information governance systems are entirely GDPR compliant

Healthcare organisations must keep detailed records of where all personal data is stored, processed and shared. They must fully understand how these processes work and audit them regularly. An Information Asset Owner responsible for data processing must be appointed.

Data protection impact assessments (DPIAs) identify risks to data security. They provide information on how to evaluate, eliminate or mitigate these risks. DPIAs must be conducted and reviewed regularly to provide compliance with GDPR. A healthcare organisation must appoint a competent person responsible for DPIA practices.

A Data Protection Officer (DPO) must be nominated. They must have the necessary skills to carry out their role and be given enough resources to do so adequately. A DPO can be from a third-party organisation and may be responsible for multiple healthcare facilities. If this is the case, every organisation must be able to gain access to the DPO when required.

Under the GDPR, data processing can only be undertaken if one of six criteria is met. Only one of the criteria can be chosen for each instance.

The six lawful criteria are:

• Consent has been explicitly given by the data subject
• Data processing is necessary to fulfil a contract
• There is a legal requirement to process the data
• It is in the vital interests of the data subject (to protect their life or the life of another person)
• It is in the public interest or required as part of the exercise of official authority vested in the controller
• There is a legitimate interest in processing the data

All healthcare organisations and providers must diligently work to detect, report and investigate any data breaches. Data breaches must be reported to the ICO within 72 hours of the organisation becoming aware of them. Individuals who are impacted by data breaches must also be informed.

Serious GDPR breaches in healthcare facilities are often down to individual employees who don’t know the correct way to handle personal data. Providing your people with accredited, in-depth GDPR training ensures patient data is kept safe and your organisation fully complies with the GDPR requirements for healthcare.

Your patients must be secure in the knowledge that their data is kept safe and used correctly. Our GDPR Staff Awareness training course teaches the importance of GDPR in healthcare. Give your team the skills required to maintain compliance so you don’t run the risk of a hefty fine!