Of course we think that you should invest in e-learning to get your team ready for GDPR compliance. But it should form part of a broader GDPR compliance strategy: here are some things you can do today:
- Appoint a Data Protection Officer. This may also be a job title, but in the eyes of GDPR, it is a designated accountable official: someone with whom the buck stops for GDPR issues and stewardship of NHS data protection guidelines.The ideal candidate may be a legal, technology or compliance specialist – it remains to be seen what sort of skills will be most effective in this role for NHS organisations.
- Review your information governance policies. They should, of course, reference the new GDPR standards and obligations. Assess contracts with partner organisations too – ongoing arrangements should also be GDPR compliant.
- Review your technology. The NHS often has archaic or piecemeal technology solutions. You must be able to report on GDPR subject access requests within one month, prove that data is stored securely, and evidence the destruction of personal information if requested by a patient/citizen.These objectives may require either the wholesale redesign of some technology services, or the definition of new use cases and access rights.
- Understand your data today. Where is data stored? How is it transmitted? When and how is it used? And how can it be destroyed if required?
- Value evidence as much as compliance. Anyone who understands the CQC regime will be familiar with this concept: it’s not enough to be compliant; it’s also important to have evidence of compliance. Keep records of the proactive activities you engage in for GDPR purposes, like risk assessments.
- Embed GDPR into ongoing work. Like all compliance activities, GDPR is not a one-off. Make it a consideration in your ongoing strategy – particularly the Sustainability and Transformation Plans (STPs) which are at the heart of efficiencies in the NHS over the coming years – and which cannot afford to be thrown off track with either complexities from GDPR or hefty fines.
- Run a crisis test. NHS organisations should assume that their networks will at some stage come under attack – NHS data protection and security is not watertight, and can never truly be so: it is an open organisation which must sacrifice perfect security for both financial considerations and 24/7 access to health data in emergency situations by non-IT professionals.Therefore, as well as maintaining the best security possible given these trade-offs, run a crisis management test for a typical data breach: you must inform the Information Commissioner’s Office within 72 hours, so practice evaluating data breaches, handling communications, and assessing a remediation plan.
Prepare your organisation and your workers for the GDPR and data protection changes with our range of online data protection learning courses.