There are eight elements to a GDPR checklist, said Richard Merrygold, director of Group Data Protection, Homeserve, at last week’s PSUK Live Conference in Newmarket.
The elements are:
- Get to know your data: Understand the types of data, particularly, special category data that you hold, where it comes from and goes to, and how you use it
- Identify your lawful basis for processing data. Make sure that consent is clear, informed and unambiguous. Avoid relying on consent, where possible
- Review security measures and processes. Good antivirus, strong passwords and hard drive encryption are vital
- Respect an individual’s rights. Subjects have the right to access all their personal data within 30 days, rectify inaccuracies, object to certain processing and have the right to be ‘forgotten’ (data erasure) without undue delay
- Train employees. Human error is the biggest cause of data breaches. Make sure employees understand their obligations in relation to the processing of personal data
- Conduct due diligence on your supply chain. Business partners that process data on your behalf (for example a DAC) should comply with data processing regulations. Your contract terms should specify their obligations to you in relation to data processing, for example, in relation to breach notification
- Fair processing notices. Clarify how you use the personal data you collect. Consider an online privacy notice
- Consider appointing a Data Protection Officer. If your company’s core activity involves regular or systematic monitoring of data subjects on a large scale or large quantities of special category data, eg health information, you must appoint a data protection officer. Your CCG or health board will be able to advise you on this.
In the presentation, Mr Merrygold advised that GP practices could rely on legal bases other than consent to process individual data, for example, for marketing purposes.
Legal options include:
- As part of a contract
- Legal obligation (eg, request from police, HMRC, etc)
- Vital interest (life of death situation)
- Public interest (eg request for information by public health organisation)
- Legitimate interest (where the data subject would reasonably expect you to use their data in that context).
Legitimate interest would include a dispensing practice marketing its dispensing service to registered dispensing patients, provided the practice can justify the processing as good for business, and that controls are in place to make the processing fair and transparent (eg, opt out notice), Mr Merrygold confirmed.