How will healthcare in the UK be affected by GDPR?

By Rich

In the wake of the UK’s decision to leave the European Union, as it stands the country and its healthcare sector will not be exempt from compliance with the incoming General Data Protection Regulation (GDPR), expected to come into effect by 2018.

What could be seen as a final warning was sounded to European businesses on Data Protection Day 2017, when commercial organisations, including those in healthcare, were asked to prepare for what appears to be much stricter regulations pertaining to the use of data under GDPR.

Those who fail to get in line with the changes to data privacy could be at risk of being landed with heavy fines. It appears to be wishful thinking that Brexit will somehow exclude the UK from the legislation’s reach, so it might be prudent to adopt a policy of ‘better safe than sorry’.

To quote Elizabeth Denham, the UK’s Information Commissioner, writing in City AM: “You do need to act, and soon. For larger organisations, someone on your staff needs to be accountable for data protection and preparing your business for the approaching changes.”

How will GDPR compliance affect the healthcare sector?

The most important aspects of the changes brought in by GDPR are related to the way in which healthcare organisations handle and store personal data.

It seems the healthcare sector in particular is set to come under the microscope, especially considering the track record of the NHS – the UK’s public health service has previously received fines for breaches of the current Data Protection Act, and fears have been raised as to the number of data security lapses in the healthcare system.

It will be up to healthcare organisations to notify the Information Commissioner’s Office (ICO) when a security breach is known to have taken place, and a 72-hour limit is expected to be placed on this reporting. The fines being touted for non-compliance certainly demand to be taken seriously – four percent of an organisation’s annual turnover.

Now organisations and private consultants in healthcare could be looking at even larger fines for lapses in data security, especially with another piece of legislation in the offing.

In terms of the specific healthcare practices which might be looked at, the ICO has previously highlighted mandatory reporting as one of the reasons why the NHS has suffered from data security lapses.

GDPR is expected to tighten up data portability, data protection and data processing, while consent, and how to request it from patients, is another area in which it is expected GDPR will require internal reviews from healthcare organisations. This could concern patient data used in healthcare marketing, for example. Then there is accountability to the principles which GDPR lays out – there is speculation that every healthcare organisation in the UK will be required to appoint a data protection officer whose responsibility it will be to ensure GDPR compliance.

The Network and Information Systems (NIS) Directive comes in next month (August) – it’s intended to tighten up cyber security across Europe, carrying an obvious amount of expected crossover with GDPR.

It remains to be seen whether GDPR will require a complete overhaul of practices and policies in healthcare – but at the very least, it is likely to prompt many organisations to conduct comprehensive reviews.