On the 25th May 2018, The Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). A reform to current EU Data Protection Law, GDPR is designed to reflect the increased challenges faced in light of new technologies. Although the UK is due to leave the EU, on 25th May 2018 the UK will still be part of the EU and therefore subject to adhering to the new legislation.
The GDPR retains the principles of DPA. However there are some enhanced obligations, and the penalties for breaching these are severe. As such, Practices would be advised to begin preparations now to ensure obligations are met by the due date.
Collection and storage of customers’ personal data
The most pressing issue for Practices concerns the collection and storage of the personal data of customers. Practices must be able to show the customer is aware what information is being collected and stored, and that the customer has given their consent for such. You must also show the Practice has informed their customers they have the right to change, amend, gain access to their data and that they know how their data is being used. Customers will also have the right to request a copy of their data, so records will need to be available in a downloadable and transferable format. Practices will now have to respond to requests for information within one month of that request being made (this is a reduction on the forty days stipulated by the DPA.) For many Practices, this may present some issues where their databases may not include a printable or transferable option. Checking this now is essential, particularly if it means new software is required as this may need to be budgeted for.
Right of erasure
Customers will also have the ‘right of erasure’, also known as the ‘right to be forgotten’. There must be a process for this, and the customer should be made aware of this process. Furthermore, Practices must be able to clearly show they have made the customer aware of this process. This particular part may cause Practices some ethical issues, particularly if they are suspicious of the customer’s activities but do not have sufficient evidence to bring the customer to the attention of relevant authorities. Keeping track of such customers will also become increasingly difficult and sharing that information with other Practices will also pose problems.
Importantly, security must be ensured. Practices are mistaken if they think they are not a potential target for hackers! Hackers are routinely targeting small to medium sized businesses on the basis they are easy targets with little more than basic cybersecurity in place. Ensuring data is secure and being able to prove the level of security is ‘appropriate to the risk’ is an essential requirement to being GPDR compliant. In addition, a cyber attack, such as a ransomware attack (where hackers block access to the data until a ransom has been paid), could be disastrous to a Practice – imagine not being able to access patient history or your customers’ phone numbers! Practices will have to report breaches of data within 72 hours, and in the event of a ‘serious’ breach, the Information Commissioner’s Office must be informed.
If a Practice is found to be in breach of GDPR, it will become easier for customers to claim compensation for those breaches. The financial penalties are severe – fines of up to 4% of annual turnover or 2% of annual turnover plus €10 million, so ensuring your Practice is GDPR compliant is essential. On the positive side, customers like to know their data is safe, that the Practice is taking their privacy seriously. Getting ahead of the curve on compliance will reinforce the relationship you have with your customers who are more likely to remain loyal to your Practice where they know their data is safe.
Further information on preparing for GDPR can be found here: ICO’s 12 Steps
Pet Medic Recruitment is a leading recruiter for the veterinary industry and supplies staff nationwide, including part time, full time, Locum and permanent roles. For more information on any of our services, or if you’re looking for a new opportunity, please get in touch with us at email@example.com