The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR)
On 4 May 2016, the GDPR was published in the Official Journal of the European Union and officially came into force on 24 May 2016.
There is a two year implementation period and therefore, the GDPR will only be applicable from 25 May 2018. Perhaps the most seismic overhaul of data protection in the last 20 years, the implementation phase will allow organisations the opportunity to plan and prepare their strategy on how to comply with the GDPR.
More background information is available on the European Commission’s website.
What are the major (non-exhaustive) changes?
Increased fines for breach of obligations
It is anticipated that the Information Commissioner’s Office (ICO) will have greater powers to impose monetary fines– with maximum fines as high as €20 million euros (equivalent to about £17.9 million) for breaches of GDPR obligations. Currently, the ICO has powers to fine organisations up to £500,000.
Data Breach Notification
Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Where a notification is not made within 72 hours, reasons for the delay will need to be provided.
Data Protection Officers (DPO)
The GDPR will require some organisations to designate a DPO, for example, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to ensure that a named individual in pharmacy business, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Pharmacy contractors will be familiar with the requirement to have a Pharmacy Information Governance Lead (see Requirement 114) and should consider whether the designation of a DPO is required and, if so, to assess whether the current approach to data protection compliance satisfies GDPR’s requirements.
Greater control for data subjects
Data subjects which include any living person whom the pharmacy holds / processes personal data on have the “right to erasure” also known as the “right to be forgotten”. This gives patients the right to direct the Data Controller – the pharmacy – to erase any of their personal data in certain situations.
How can I prepare?
It is expected that the ICO will provide further GDPR guidance throughout the implementation period and once the GDPR is applicable. ICO Guidance—Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now
NHS European Office (part of NHS Confederation) have also produced a briefing to help prepare commissions, hospitals and other health and care providers for the main changes that can be expected which pharmacy contractors may find helpful.
Pharmacy contractors are encouraged to consider and familiarise themselves with obligations under the GDPR to determine any compliance gaps in need of addressing in their standard operating procedures and other policies for when the GDPR goes live.
Q. What about Brexit?
On 24 June 2016, the UK voted to leave the European Union.
On 14 July 2016, the Financial Times reported that David Davis, Secretary of State for Exiting the European Union’s confirmed that the UK’s formal departure from the EU should be “around December 2018”.
Therefore, at present, the position remains unchanged – the GDPR will apply to the United Kingdom from 25 May 2018. It may be that any EU law not implemented as UK national law but which takes effect in the UK as a result of the UK’s EU membership, such as the GDPR, may no longer apply post-Brexit depending on the terms of the negotiated agreement to leave the EU – the position is likely to become clearer as the UK approaches closer to formally leaving the EU.
Q. Isn’t there something coming out of the EU on cyber security?
Yes. On 6 July 2016, the European Parliament formally adopted new rules to step up the security of network and information systems across the EU.
The Network and Information Security (NIS) Directive will increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers. Essential services operators are active in critical sectors such as energy, transport, health and finance. Digital services cover online marketplaces, search engines and cloud services.
The requirements will be stronger for essential operators than for digital service providers. This reflects the degree of risk that any disruption to their services may pose to society and the economy.
Each EU country (the UK currently one of these) will also be required to designate one or more national authorities and set out a strategy to deal with cyber threats.
In August 2016, NIS came into force which started the 21-month countdown for the UK to implement the Directive into national law (around May 2018) and 6 months more (around November 2018) to identify operators of essential services.