GDPR is here: what healthcare organisations should be doing to keep compliant


Emma Roe, Head of Commercial at Shulmans LLP, explains why the industry needs to stay focused on data protection.

As the dust settles on the implementation of GDPR, a surprising amount of businesses are yet to get their houses in order. According to a recent study* published just weeks before GDPR implementation day (25 May 2018), a staggering 45 per cent of businesses expected to be fined by the Information Commissioner’s Office (ICO) for failing to properly prepare by the time they were inspected.

It is unclear where the ICO will investigate as a first port of call, but there is a strong case to suggest that it’ll be those businesses holding the most sensitive types of data, such as healthcare providers – whether relating to patients, staff, contractors, carers or other stakeholders.

Providers of healthcare services such as independent nursing homes, hospice care providers, domiciliary care service providers, opticians and dental practices clearly deal with large volumes of personal data, much of which is particularly sensitive in nature. It is likely to relate to patients, carers and families, including potentially vulnerable individuals and those not able to give consent on their own behalf. The healthcare sector has always been a maze of complex data usage. Combine this with the high levels of regulatory scrutiny and a significant reputational risk of getting compliance wrong and data protection should be on every organisation’s radar.

As a healthcare organisation, you are potentially processing various categories of data in large quantities to carry out basic daily operations. Although patient data can be most clearly identified as the number one concern, other categories should not be ignored – sickness records of staff and business supplier contact details are potentially subject to the new rules, so all data should be reviewed to ensure that what you are doing with it is done compliantly.

For healthcare organisations, where the processing of special categories of data such as health records is a core activity, GDPR requires the designation of a Data Protection Officer (DPO). Whilst this role may already exist in some form, GDPR imposes much stricter qualification and experience requirements, meaning that simply ‘wearing this hat’ alongside an individual’s day job is not sufficient. Recruiting or training a suitable individual should be an immediate concern, as in reality there are not enough sufficiently qualified specialists in the market to meet demand.

There are also new requirements to minimise data and incorporate aspects of data protection into the planning of any new project or processing activity, which means that even those organisations which were data protection compliant before the 25th of May still have adjustments to make.

Another factor for consideration is that individuals are increasingly more aware of their legal rights in respect of data protection, with the scope of these rights increased under GDPR and a spotlight shone on the issue in the mainstream media. Subject access requests are increasingly common with individuals wanting to know what data is held on file about them and their family. All organisations need to have a comprehensive understanding not only of the data they hold, but also where it is stored across the organisation in order to be able to comply with such requests in the reduced deadline of 30 days under GDPR.

Keeping individuals in control of their data has been a driving force of this new legislation, so being respectful of this, considering whether your email might actually be of interest to them and giving them an easy way to opt out is key to retaining a healthy line of communication with your audience – whether that be patient, staff, customer or supplier.

Under the new regulations, the ICO can now impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. This can be up to €20 million, a steep increase of almost 40 times the previous maximum fine limit.

Although the fines are a significant financial burden to an organisation, perhaps more important are the issues relating to reputation, as any step taken by the ICO can and will often be published for the world to see. This not only puts the organisation under the scrutiny of the ICO going forward but puts a great deal of information relating to a breach or investigation in the public domain. Where trust and safety are the foundation stones of a healthcare organisation, this reputational risk could have consequences far more damaging than any monetary fine.
For more information or to discuss your GDPR compliance plans, please visit or call 0113 288 2817.

* Study conducted by Ensighten, sourced via Information Age.