The GDPR: the €20 million question
- 20 July 2016
Far-reaching changes to data protection law were agreed by the European Parliament on 27 April, presenting a real challenge to the NHS and other bodies that process people’s personally identifiable information.
Not least among the changes is a huge scaling up of the fines for breaches – with maximum penalties of €20 million for the most heinous infringements.
Described as being “of critical importance to the NHS” by the NHS European Office, the general data protection regulation, known as the GDPR, will have to be applied across the EU by 25 May 2018.
All dead letter?
Of course, there have been significant changes to the political landscape in the few short weeks since the regulation was published. Whether the UK will still be in the EU in May 2018 is moot.
So should NHS organisations be spending time and money making sure they comply with the changes the basis that might no longer apply to the UK per se?
“The answer is possibly,” says Elisabetta Zanon, director of the NHS Confederation European Office. “If we stay in the EU internal market, certainly yes.
“If we leave the EU internal market these EU rules may no longer be applicable. Nevertheless, approximation of rules would be helpful for commercial activity between UK and EU operators.”
This chimes with comments made by information commissioner Christopher Graham at the organisation’s annual report launch last month.
Graham said the ICO would be discussing with the government the implications of the referendum result and its impact on data protection reform in the UK.
But he added: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.
“The ICO’s role has always involved working closely with regulators in other countries and that will continue to be the case.”
What is the GDPR anyway?
So what are the proposed European changes, and what would they mean for the NHS? Quite a lot, on the face of it. The new regime would mean a greater focus on accountability and enhanced processes around consent.
Data privacy impact assessments would become mandatory at the start of any relevant activity, data protection officers would be mandatory in public authorities, and there would be changes for the public sector on the legal basis for using personal data. (A fuller list can be found in this blog by Elizabetta Zanon).
According to Andrew Harvey, information governance lead with Western Sussex Hospitals NHS Foundation Trust, and chair of the Sussex-wide IG group, NHS bodies should already be thinking about updating data protection processes in line with the EU’s changes.
“The outcome of the referendum will have little impact on GDPR,” he said. “No matter what changes there are in the EU over the next however many years, if we want to maintain parity, and continue trading with Europe, we’re going to have to match them.
“For NHS organisations, it’s about preparedness, and how we get from where we are currently to where we need to be.”
Follow the money
One of the key areas is ensuring that senior people in organisations are aware of the GDPR so there are no surprises when it’s rolled out.
“There are 12 or 13 areas that need some sort of work. I’m currently pulling together an action plan for our trust. It sounds like it’s quite a lot of work, but I think there will be positives for individual organisations,” says Harvey.
“For example, the process will allow various bits of an organisation to pull stuff together, such as those involved in contracting and clinicians. Organisation-wide engagement and understanding will be necessary.”
Harvey has written a post about the challenges as he sees them (published on LinkedIn). But he points out that organisations need to be particularly aware of the financial implications of the GDPR.
Organisations will no longer be able to charge for subject access requests (currently £10 can be charged for providing records held electronically, and up to £50 for those held in paper form). “One organisation has told me they expect to lose £60,000 of income by having to do them for free,” he says.
And there’s the question of fines. At the moment, the maximum penalty for breaches of privacy is £500,000. This will go up to €10 million or 2% of an organisation’s previous year’s turnover, whichever is higher, for the lower tier of infringements – and €20 million or 4% of turnover for the more serious violations.
“These are huge amounts of money and I guess the hope is that it will concentrate minds,” Harvey says. But he believes that reform is necessary.
“The [current] legislation was written in an age that we’re not now in,” he says. “It was more than 20 years ago, and so much has changed. I think the changes will be good for patients, because we’ll be looking after their information better.”
Be prepared
The Information Governance Alliance is considering the detail of how the changes brought in by GDPR should be implemented in health organisations – but its clear message is that health bodies should keep going with their preparations.
“Until the general position on the GDPR becomes clear, we will continue to prepare for its implementation in 2018,” a spokeswoman says.
“NHS organisations should be in a strong position to make any changes due to their continued use of the Information Governance Toolkit, an on-line resource that supports good data protection practice.”
The IGA will continue to provide updates through its quarterly newsletter and on website, she says, adding that guidance will be developed and published well in advance of the GDPR coming into force.”
Harvey agrees that the NHS is reasonably well prepared. “We have the IG Toolkit, and whatever faults that might have in the breadth of its coverage, it means we have a set of requirements that we have to meet, and we have to provide evidence that show that he are delivering against them.
“There’s also been a clear message from the ICO and at the Information and Records Management Society conference in May that if you’re doing what you should be under the current Data Protection Act, and doing it well, then it’s more of a tightening up rather than putting new structures in place.
“If you’re already doing a good data protection job, you’ll be doing 85-90% of what you’ll be doing under the new rules, which makes it a housekeeping task rather than a swingeing process of change.”
Other sources of advice: Ahead of the legislation being passed, the ICO published an overview of the GDPR and guidance on preparing for it. Issued in March, it outlines 12 steps to take “now” to ensure preparedness.
These range from raising awareness among decision makers and key people in your organisations, so they know what’s coming, to making sure your current processes and systems are up-to-speed (for example those around subject access requests, data breaches and consent).
The NHS European Office has prepared a briefing which can be found via this link. It sets out the background to the change and discusses obligations of healthcare organisations.
The Information Governance Alliance’s latest newsletter stresses the need for improved transparency (page 10). To subscribe to its news service, email iga@nhs.net.