In February 2018, NHS Digital released guidance for healthcare providers (HCPs) to help them comply with the EU General Data Protection Regulation (GDPR). With the GDPR enforcement date less than a week away, HCPs should have identified a compliance plan in line with this guidance, which highlights how they will enact the Regulation and by when.
In accordance with these guidelines, IT Governance has developed a checklist for HCPs to design and monitor their compliance programme. Our healthcare experts are also available to discuss how HCPs can leverage these compliance activities against the requirements of The Network and Information Systems Regulations 2018 (NIS Regulations) and the Data Security and Protection (DSP) Toolkit.
For HCPs that have not yet considered how they will comply with the GDPR – don’t panic. Speak to one of our experts about how you can develop a cost-effective programme of activity that allows you to demonstrate the steps you will take to meet the requirements of the Regulation.
In case you’ve missed it – what is the GDPR?
The GDPR will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998 (DPA). Compliance will be mandatory for any organisation that processes EU residents’ personal data.
The Regulation expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.
For organisations that are unaware of the implications and/or the challenges that the GDPR presents, IT Governance is running The first steps towards GDPR compliance webinar, which covers:
- Why you must comply with the GDPR and what might happen if you don’t;
- The GDPR’s direct effect on your business and the transition timelines;
- The first steps in preparing for GDPR compliance;
- The technical and organisational measures your business will need to adopt to comply with the Regulation; and
- Key recommendations and industry-recognised practices to help you achieve GDPR compliance.
First step to GDPR compliance
It is easy for organisations to assume that compliance requires an overhaul of their relevant processes. Most healthcare organisations, however, will already have practices in place that satisfy many requirements of the GDPR.
One of the key challenges will be for organisations to demonstrate where those practices are already in place and recognise where changes are needed to meet the GDPR’s requirements. This is addressed in the checklist’s first step to compliance, accountability.
The accountability step suggests organisations should conduct a gap analysis of their compliance posture to understand what changes need to be made to bring the organisation in line with the GDPR. The gap analysis report should allow organisations to establish a programme and timeline for implementing, auditing and reviewing these changes.
Organisations will probably need to upskill a member of their in-house team who will be responsible for developing and implementing the programme.
IT Governance’s Certified EU GDPR Foundation and Practitioner Combination Course provides a comprehensive introduction to the requirements of the GDPR, and a practical guide to planning, implementing and maintaining a GDPR compliance programme. The course provides useful information to anyone who will be fulfilling the role of the data protection officer role (DPO). A DPO will be required for most healthcare organisations, including primary care providers and pharmacies.
There are many changes coming into effect in 2018 that will affect the compliance landscape for healthcare providers.
In addition to the GDPR, May 2018 marked the deadline for EU member states to transpose the Directive on security of network and information systems (NIS Directive) into national law; in the UK, the Directive was transposed as the NIS Regulations. The NIS Regulations apply to many healthcare organisations in the UK and require them to implement effective security measures appropriate to associated risks, as well as measures for incident response. More information is available in our blog and in our free green paper: The EU Directive on Security of Network and Information Systems – UK compliance guidance.
HCPs also face significant changes from the Data Security and Protection (DSP) Toolkit, which replaced the Information Governance (IG) Toolkit as the mechanism by which organisations that have access to NHS patient data must provide assurances that they are practising good information governance.
Our Cyber Resilience for the Healthcare Sector green paper considers these new compliance obligations, and how organisations might implement a single cyber resilience strategy that can meet the challenges in a cost-effective manner without duplicating workload.