Despite the General Data Protection Regulation (GDPR) coming into effect in less than three months, many healthcare organisations are yet to start developing a compliance programme.
IT Governance has created a checklist, in accordance with NHS Digital guidance, to advise healthcare providers and their supply chain on how to achieve and demonstrate compliance with the Regulation.
This checklist details nine practical steps that healthcare organisations should undertake in preparation for the GDPR.
These steps include:
- Accountability: Organisations must establish a GDPR compliance programme. To achieve this, they should conduct a gap analysis to understand their current level of compliance with the GDPR. This will identify where the internal capabilities are and the skilled staff who will be involved in the project.
- Record data processing activities: Organisations must understand and audit where data is stored, processed and shared, and identify a lawful basis for each data processing activity. Certain lawful bases explicitly identified by the Regulation are unique to health and social care, such as data processing for the provision of preventative and occupational medicine. Further details on the specific Articles that identify the lawful processing of data for delivery of care and management of health systems are available in the checklist.
- Appoint a data protection officer (DPO): A DPO will be mandatory for all public authorities and any organisation that carries out regular and systematic monitoring of data subjects or processing of special categories of data on a large scale.
- Data protection by design and by default and data protection impact assessments (DPIAs): Organisations must identify who will be responsible for DPIAs and when they are likely to be needed, and revise policy and procedures to support DPIA practices.
GDPR training courses
This one-day Foundation-level course provides a comprehensive introduction to the GDPR, and an overview of the implications and legal requirements for organisations, including responding to individuals exercising their data rights, DPIAs and data breach reporting.
This four-day Advanced-level course builds on the GDPR Foundation qualification to equip attendees with the knowledge and operational skills to build, implement and manage a compliance programme under the GDPR.
Please note that you must attend the GDPR Foundation course and pass the examination before you can attend the Practitioner course.