Over half (55 percent) of Acute NHS Trusts and 47% of Mental Health Trusts have revealed they have invested in preparation for the implementation of GDPR, a new report has revealed.
Think Tank, Parliament Street received 46 responses from its Freedom of Information (FOI) request on the investment NHS Trusts are making ahead of GDPR, with less than half not investing in preparation ahead of the new regulation at all.
NHS Trusts across the UK have been increasing investment in security and data protection; in the last financial year this totalled £123.817 billion, which is set to increase to £126.269 billion for the financial year of 2018/2019.
These increased figures equate to approximately £1,980 per person in the UK through tax and national insurance.
Investment into preparing for GDPR is going towards training staff, securing email systems and new software to cope with the changes.
How Does Your Trust Rank?
Across all NHS Trusts, the total figure spent on preparing for GDPR tops £1 million; totalling an exact figure of £1,076,549.
Those living in the Luton and Dunstable area, be rest assured on sufficient GDPR investment as the town tops the leaderboard investing a total of £111,200 to cover staff and training improvements. Following in close second is Lincolnshire’s NHS Trust, investing £106,915 in staff and training preparation. Holding joint third place is South Central Ambulance Service NHS Trust and St George’s University Hospitals NHS Foundation Trust, both investing £95,000.
Further down the pecking order, some NHS Trusts are investing just £500 in GDPR preparation including Royal Derby NHS and Goodmayes Hospital.
Those not directly investing in GDPR preparation had spread the costs elsewhere. For example, the think tank also found £54,000 was spend by the NHS Christie Foundation Trust spent £54,000 on an Information Security Management System and consultancy resources.
Additionally, an investment of £11,000 was spent on data flow and software training by the Queen Elizabeth Hospital King’s Lynn NHS Foundation Trust.
What are the Consequences?
As the NHS recovers from the massacre of the WannaCry attack, it is imperative Trusts are prepared ahead of the game when it comes to GDPR.
“The challenges are real. Like many large healthcare systems, the NHS must deal with legacy infrastructure that was not designed to handle the volume of data and operating systems in use today. They’ve got to address and replace outdated and unsupported systems as a first step, and this costs money,” Matt Lock, Director of Sales Engineers at Varonis, said in a statement. “The NHS must quickly get their house in order – not only to meet the GDPR but also to guard against the next ransomware attack.”
Those that are not investing sufficient funds into preparation ahead of GDPR could face financial consequences in the long run, owing 4 percent of global turnover if data were leaked.
How to Effectively Prepare
With just under half admitting to having no plan in place for GDPR preparation the Think Tank made suggestions for the next steps to take, outlining that consistency is key to success.
“We propose that the NHS establishes a national programme for managing and funding the GDPR. The Government should look to provide dedicated legal advice in the form of solicitors and speciliast counsel to enable all trusts to gain free consultancy on implementation,” The Think Tank’s report said. “A national NHS GDPR strategy should be established, bringing together lawyers, CIOs and CEOs to ensure consistency between trusts.”
As well as ensuring consistency across the NHS, Trusts must effectively utilise the investments; ensuring a little goes a long way.
“Spending £1m seems like a large investment, but after this funding is distributed across hundreds of facilities throughout the UK, the amount is likely to be far than adequate,” Lock said. “Organisations must stand accountable, address these issues and move forward quickly, perhaps faster than they may be accustomed to. Today’s technology and threats demand nothing less.”