Stockport Clinical Commissioning Group Understanding the new GDPR requirements

21st May 2018

Introduction
GDPR stands for General Data Protection Regulations. They’re a set of European-wide data protection laws coming into force on 25 May 2018 which replace the Data Protection Act (1998).

We need to make sure that the way we collect, process and store personal data and information will comply with the new regulations.

Personal data is any information that identifies a living individual. For Stockport CCG this includes employee information such as HR and Payroll records, customer lists and contact details. It applies to both electronic and paper records.

Compliance with the new GDPR regulations is everyone’s responsibility.

What are the key changes?
GDPR goes beyond the current requirements of the Data Protection Act 1998. Some of the key changes are as follows:
• Accountability – organisations must not only comply with the requirements under the GDPR, but demonstrate compliance. This will be overseen by a new Data Protection Officer role, reporting to senior management.
• Data Protection training and awareness will be required for staff at all levels in the organisation, as this will be the only way to develop a more proactive and responsive information governance culture.
• Restrictions to using consent as the justification for processing data for a particular purpose. Consent must be given freely, specific, informed and unambiguous. Under the GDPR there is a higher standard for consent and it must be as easy for an individual to withdraw consent as it is to give it.
• Record of Processing Activities – organisations will be required to build and maintain an Information Asset Register to identify the personal data processed by any service.
• Data Protection Impact Assessment (DPIA) – Organisations will need to identify, assess and mitigate or minimise privacy risks with data processing activities.
• Data breaches – the supervisory authority must be notified of any data breach without undue delay and no later than 72 hours after becoming aware of the breach. Penalties for any data breaches are considerably higher than before and failure to report a breach can result in a fine of up to £18 million.
• Data subject rights – the GDPR confers a number of new rights on people who are the subject of any data processing activity, including:
• Subject access changes – removal of the £10 subject access fee and shortening in the response time
• The right to be forgotten entitles an individual to have their personal data erased, stop any sharing of their data, and potentially have third parties halt processing of the data too
• The right to data portability means an individual can request to receive all the data that is held about them in a ‘commonly used and machine readable format’, and have the right to transmit this to another body.

What does this mean for the CCG?
Much work needs to be done to ensure we are compliant with the regulations and that we all recognise and understand that responsibility for the safe and secure handling of personal data rests with each and every one of us.

This work is being led and coordinated by a Project Team from Stockport Council in partnership with the CCG and includes colleagues from a range of different disciplines including Information Governance, Policy, IT and Communications.

Priorities include:
• An update of Policies and Procedures to ensure that advice and guidance is available for all colleagues. Additional training, including an updated data protection e-learning module, will be provided in 2018 to support the transition to the new regulations
• Helping services to carry out Personal Data Audits as we need to understand what information we currently hold and how it is collected, processed and stored. The team will advise and help services make any changes necessary to comply with GDPR.
• Raising awareness and understanding of Privacy by Design to ensure that data protection is included in the design of systems from the start and embedded in all data processing activities. Managers will be given support to ensure they consider privacy before changing how they operate or the systems they use.
• Ensuring that any partners and suppliers who deliver services to or share personal information with the CCG are operating to the same standards we are, and are complying with the law.
• Appointing a Data Protection Officer – a mandatory requirement for the CCG under GDPR

Keeping you informed
We will continue to keep staff updated through briefing sessions, training, and information keeping you up to date on GDPR.

Twitter

From tomorrow, Friday, 1st July, we will become part of NHS Greater Manchester Integrated Care. This account will n… twitter.com/i/web/st…

About 3 years ago

Your GP practice is open for you. Dr Siobhan Brennan from Marple Medical Practice has some tips if you feel worried… twitter.com/i/web/st…

About 3 years ago

RT @NHS_GM Tomorrow, 1st July, is a new era for health and care in Greater Manchester with the start of NHS Greater Manchester… twitter.com/i/web/st…

About 3 years ago

There are many ways you can get support with breastfeeding. Midwives, peer supporters, breastfeeding cafes, helpl… twitter.com/i/web/st…

About 3 years ago

Understanding the new GDPR requirements

Twitter

Featured Downloads

Resources

Services

Quick Links