GDPR: are you starting to prepare?
General Data Protection Regulations (GDPR)Â will apply in the UK from 25 May, 2018, irrespectiveÂ of Brexit. NPA chief pharmacist Leyla Hannbeck looks atÂ the implications for pharmacy
As a rule of thumb, if your organisation needs to comply with the Data Protection Act, then it will need to comply with GDPR. But GDPR will introduce new elements and significantly enhanced requirements regarding data protection.
GDPR and DPA responsibilities are similar but the most signifi cant new addition is the â€˜accountability principleâ€™ requiring organisations to demonstrate they comply with GDPR principles. Organisations will need to maintain records of data processing activities. GDPR applies to â€˜personal dataâ€™ but the definition is more detailed than the DPA. It even suggests an IP address can be â€˜personal dataâ€™. The new definition reflects changes in technology and the way personal information and personal identifiers are harvested.
The key areas to consider are: lawful processing of personal data; consent; and childrenâ€™s personal data.
Under the GDPR, all individuals have the following rights: to be informed; to rectifi cation; to erasure; to restrict processing; to data portability; to object; to access; and in relation to automated decision-making and profiling.
This will be a new duty to report certain types of data breaches to the Information Commissionerâ€™s Offi ce (ICO) and to the affected individual(s) in some cases. Failure can result in a fine, up to Â£10m or 2% of the organisationsâ€™ global turnover. More information is in the ICO resource: overview of the GDPR.
Top tips to prepare for the GDPR:
â€¢ Raise awareness within your organisation of the forthcoming changes, especially with key decision makers. Identify areas of concern. Implementation can impact on your organisational resources, both personnel and financial.
â€¢ Carry out an audit of all personal data held by your organisation, where it has come from, who it has been shared with.
â€¢ Identify your organisationâ€™s lawful basis for processing personal data, document it and include it in the privacy notice.
â€¢ Review and update privacy notices to meet additional requirements under the GDPR. Explain the lawful basis for your organisation to process personal data, the data retention periods and the individualâ€™s rights to complain to the ICO.
â€¢ Check whether your current procedures cover all the individualâ€™s rights under the GDPR. Ensure they cover the right to delete personal data and data portability rights.
â€¢ Review and update procedures for subject access requests. Review how your organisation will handle requests to adhere to the new timeframes.
â€¢ Review how your organisation seeks, records and manages consent. Make required changes to comply with the GDPR â€“ the ICO has published draft guidance on consent under the GDPR. The final guidelines will only be published by the ICO after the Article 29 Working Party of European Data Protection Authorities (WP29) has agreed its Europeside consent guidelines; this is expected to be December 2017. You can use the ICOâ€™s draft guidance on consent for now until the fi nal version is published. Refresh all existing consent as required to comply with the GDPR.
â€¢ Start planning how to age-verify childrenâ€™s ages and obtain parental/guardian consent to process childrenâ€™s personal data.
â€¢ Review and update, if required, your organisationâ€™s procedure on managing data breaches to comply with the GDPR.
â€¢ Appoint a Data Protection Officer (DPO), if required.
The NPA has produced an additional resource â€“ General Data Protection Regulations: brief overview.
For further information call 01727 891800 or email firstname.lastname@example.org.
Bust the myths around acne causes so you can recommend effective products and self-care advice
Discover the key benefits of Guardium so you can recommend this PPI with confidence to help ease heartburn and acid reflux symptoms