Practical steps to GDPR compliance in health and social care

Despite the General Data Protection Regulation (GDPR) coming into effect in less than three months, many healthcare organisations are yet to start developing a compliance programme.

IT Governance has created a checklist, in accordance with NHS Digital guidance, to advise healthcare providers and their supply chain on how to achieve and demonstrate compliance with the Regulation.

This checklist details nine practical steps that healthcare organisations should undertake in preparation for the GDPR.

These steps include:

  • Accountability: Organisations must establish a GDPR compliance programme. To achieve this, they should conduct a gap analysis to understand their current level of compliance with the GDPR. This will identify where the internal capabilities are and the skilled staff who will be involved in the project.
  • Record data processing activities: Organisations must understand and audit where data is stored, processed and shared, and identify a lawful basis for each data processing activity. Certain lawful bases explicitly identified by the Regulation are unique to health and social care, such as data processing for the provision of preventative and occupational medicine. Further details on the specific Articles that identify the lawful processing of data for delivery of care and management of health systems are available in the checklist.
  • Appoint a data protection officer (DPO): A DPO will be mandatory for all public authorities and any organisation that carries out regular and systematic monitoring of data subjects or processing of special categories of data on a large scale.
  • Data protection by design and by default and data protection impact assessments (DPIAs): Organisations must identify who will be responsible for DPIAs and when they are likely to be needed, and revise policy and procedures to support DPIA practices.

View the full checklist >>

GDPR training courses

Certified EU GDPR Foundation Training Course

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

This one-day Foundation-level course provides a comprehensive introduction to the GDPR, and an overview of the implications and legal requirements for organisations, including responding to individuals exercising their data rights, DPIAs and data breach reporting.

Book your place now>>

Certified EU GDPR Practitioner Training Course

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

This four-day Advanced-level course builds on the GDPR Foundation qualification to equip attendees with the knowledge and operational skills to build, implement and manage a compliance programme under the GDPR.

Please note that you must attend the GDPR Foundation course and pass the examination before you can attend the Practitioner course. 

Book your place now>>

Save 15% when you book the Foundation and Practitioner course together.

To discuss your unique requirements, talk to one of our healthcare experts >>