With GDPR in force, healthcare businesses need to ensure that they are compliant. Here are four key considerations for any business looking to ensure their compliance.
Under GDPR, all businesses must have a lawful basis for gathering any personal data. This isn’t a big change from the previous legislation that was in place. There are six key aspects to this lawful basis, and you must hold data in accordance with one of them to be GDPR compliant –
- Consent – where a consumer consents to you processing and storing their data.
- Contract – where the processing and storing of data forms part of a contractual obligation.
- Legal Obligation – where you are legally obliged (i.e. public services) to process data.
- Vital Interest – where the processing of data is vital for protecting someone’s life.
- Public Task – where processing data is necessary to complete a task in the public interest.
- Legitimate Interest – where processing is necessary for your legitimate interests of yourself or a third party, unless there is a good reason to protect this data which overrides your legitimate interest.
As with any new piece of legislation, there is a lot of ambiguity surrounding it and what exactly constitutes “lawful basis” as per the six above aspects is something likely to be interpreted by the courts.
In addition to the above, you must also only process data where it is ‘necessary’ to do so. This is quite vague wording, but if you can achieve your objectives without having to collect or process any data, you should err on the side of caution and take the data-free approach. You must always be transparent and unambiguous about what you plan to do with your users’ data.
Finally, note that you must give your users a simple means of withdrawing their consent and opting out of any data sharing arrangement.
Review Your Agreements
Previously, only organizations that were classified as data controllers were obligated to observe compliance rules. Under GDPR, however, there is now an obligation on every business that processes user data.
GDPR has also introduced some specific requirements that apply to data controllers. These requirements govern the types of agreement that data controllers can sign with data processors. It should be noted that no exemptions are being made for past agreements. Any agreement, even one that has been in place for some time, which is not GDPR compliant, must be altered or scrapped, and patients must re-subscribe.
Build GDPR Compliance Into Your Website
The easiest way to ensure that your business and website remain GDPR compliant is to make sure that you build compliance into your website. The GDPR legislation specifically recognizes “privacy by default” and “privacy by design”. In order to remain compliant, businesses will need to implement the necessary policies and procedures in their business and train staff extensively.
Every new project should be approached with GDPR in mind. If you take orders through your website, make sure that you are collecting and handling your users’ data responsibly.
The more proficient in GDPR your staff are, the less likely it is that you will fall afoul of the new rules. The most efficient way of ensuring that your staff are adequately trained is to focus first on training your most senior staff, then encouraging them to pass the lessons on to those who work beneath them.
If you want to make absolutely sure that your health workers have a firm grasp of their obligations under GDPR, consider whether it is worth investing in dedicated GDPR training.
GDPR makes businesses more responsible for the way that they collect and handle data. Under GDPR, not only must you ensure that you are completely transparent in your data collecting practices, you must also report any breaches or lapses that do occur. Training your staff thoroughly on the intricacies of GDPR is the best way of avoiding any issues. Investing in training now will save you facing fines later.