The General Data Protection Regulations (GDPR), enforceable in the UK from the 25th May 2018, places far greater burdens on those processing data and gives data subjects (living individuals) new and enhanced rights. In addition, fines for non-compliance will increase to a maximum of €20 million or 4% of turnover.
This extensive piece of legislation, which runs to a massive 260 pages, encompasses businesses, the public sector and from 2019 even charities. These new data processing rules will inevitably result in organisations like the NHS or even household national charities not only getting named and shamed but also fined in the event of any data compromises.
One of the biggest risks for companies, organisations and charities is from data leaks, where an individual’s record is compromised. According to the Information Commissioner’s Office (ICO), which will be responsible for policing GDPR, between January to March 2016 there were 448 UK data breaches: 184 of these were health, 43 local government, 25 finance, insurance and credit and 23 charitable and voluntary. In contrast only 36 businesses were fined, although post GDPR this is expected to significantly increase.
From May 2018 the need to register with the ICO will change and it will no longer make a charge. However with the ICO expanding and commissioning new offices along with the recruitment of ex-police officers this seems an indication of how the ICO will indirectly generate funding. Therefore not surprisingly, fines under GDPR will also increase. To put things in perspective the fine issued by the ICO to TalkTalk for a major data leak in 2016 was just £400,000, but under the new rules next year it could be based on 4% of TalkTalk’s turnover in which case the fine would be a staggering $67 million.
Data controllers and data processors also have enhanced GDPR responsibilities not only to protect data but in the event of a leak to communicate it within 72 hours to the ICO and also to the individuals concerned. Failure to do so under the new rules will potentially incur the highest penalties.
Medical records and other highly sensitive data that needs processing for hospitals, insurance firms, government departments, local government and similar organisations is treated as the processing of special categories of personal data, which requires the highest level of protection from theft and exposure.
To meet these GDPR challenges, encryption technologies, pseudonymisation and in some cases anonymisation is needed. The ICO has stated that in future, where personal data losses occur and where encryption software has not been used to protect the data, regulatory action is likely to be pursued.
GDPR also affects the storage of documents because Article 5 requires documentation to be retained only for as long as necessary. Keeping CVs of past job applications, records of previous customers who moved on a long time ago and customer payment details, along with duplicated patient data left over from, say, scanning purposes could all land your organisation in a heap of trouble.
Where serious data processing is involved, data protection officers are now recommending the outsourcing of personal sensitive data processes like payroll, scanning and storage. This is because many organisations simply do not have the in-house skills or easy access to the necessary technologies or the correct procedures, to properly do this in-house.
Companies like Restore Scan have stolen a march on the scanning and storage of sensitive data and work with hospitals, insurance companies, corporations and departments like the DVLA due to its quick turnaround and compliance.
Typical of the work undertaken by Restore is the medical scanning, archiving, indexing and retrieval of medical records for the Royal Liverpool University Hospital. Records are scanned at Restore’s North West based ISO27001 compliant, high tech centre which provides the hospital with a host of benefits.
These include a compliant records management process backed by enhanced security, incorporating IG Toolkit compliance. In addition to enhanced security and compliance the Royal Liverpool has also been able to reduce administration costs for the physical management of records, improve patient care with timely access to information. This includes allowing patient records to be retrieved simultaneously if required by numerous clinicians anywhere in the world. Finally, crucial hospital space has been regained for patient care.
Knowing how long to keep records to meet the requirements of GDPR and also providing optional data destruction services are all part and parcel of the Restore service to the client. Whilst the Royal Liverpool may be ahead of the curve many hospital trusts, insurance companies and even some government departments are still getting to grips with what the legislation means in practice.
In a nutshell GDPR is wrapped around six key data processing principles. Personal data must be processed lawfully, fairly and in a transparent manner. It should be collected for specified, explicit and legitimate purposes. It must be adequate, relevant and limited to what is necessary. The data must be accurate and, where necessary, kept up to date. Data should only be retained for as long as necessary and processed in an appropriate manner to maintain security. To complicate matters further, data subjects have also been given new enhanced rights including the right to rectification, erasure, restriction, objection and the right to data portability.
Translating all of these into a practical workable solution that puts the privacy of data subjects first is going to prove one of the biggest challenges for 2018. Therefore work on developing a strategy, finding external partners to undertake some of the work post May 2018 and the drafting of privacy policies should start now.