Roger Matthews, who prepared the Simplyhealth Professionals guide to GDPR in 2018, sounds a warning note to dentists.
One year on from the passing of the Data Protection Act 2018, incorporating the EU’s GDPR, some may be wondering whether - like the “Millennium Bug” - it was all just a scare story.
Not so. The Data Protection Network - a free online resource centre) points out that 25 May 2018 was not just a hoax, but an extensive and much-needed update, backed by some serious sanctions.
You may be thinking: “So, where is the enforcement, the predicted heavy fines?” But the Information Commissioner (ICO) points out that although headline-grabbing penalties of 56 million Euros were levied last year, these were mostly against big hitters like Facebook, Google and Equifax.
And ICO adds that most action was taken against “legacy” offences under the previous Data Protection laws; building up cases under the new more rigorous Act will take some time, but is underway.
Particular issues are still sources of inherent risk, says DPN, and particular examples are:
- Supplier contracts: many data breaches occur as a result of failures by third party agents, but without compliant provider contracts, data owners are still in the firing line. Have you reviewed contract with, for example, your software supplier, your website manager or host?
- Most dentists will have privacy notices stating that “legitimate interest” is the lawful basis for collecting some, or all, patient data. But have you carried out a formal written assessment?
- Staff training: human error remains the single weakest point in all data management. Are your staff (including any new arrivals) fully up to date with your policies and processes and have you documented it? In fact, did you actually test their knowledge?
- Can you show that there is good accountability (governance) for data protection? Have the practice owner/s and/or data controller/s explicitly spelt this out in a comprehensive data protection policy - and signed it off with a review date?
I would also add the need for Associateship agreements to be updated, making clear that (under most circumstances) they act as data processors, not controllers; they must act strictly in accordance with practice policies, and provide warranties that this will be the case.
DPN points out that in distinction to most European nations, which police data controllers under Civil law, UK Regulators act under Common Law. Across the EU generally, “things that aren’t permitted are forbidden”. However, in the UK the rule is: “things that aren’t forbidden are permitted”. It’s a nuanced point but does mean that it takes time for the UK Courts to build up case law under new regulations.
In summary, be prepared: “Many suspect the Regulators are just warming up…”
