The National Community Hearing Association has published guidance on GDPR for community hearing practices and what needs to be done to prepare for the changes. The guidance is in two parts: part one provides you with a basic overview of new data protection rules and what is changing; part two explains what steps you can take now.
The guidance – which was revised in July – will help you to:
The ICO has published a series of Frequently Asked Questions aimed at small businesses in January to help them prepare for the GDPR. The health FAQs are designed to specifically answer questions for health organisations and businesses, including hearing practices. The FAQs are available at www.ico.org.uk/for-organisations/health/health-gdpr-faqs.
A big change in data protection law comes into force in May 2018 – if you’re responsible for people’s personal information, which most audiologists are, you need to be preparing for that change now.
New legislation called the General Data Protection Regulation (GDPR) will come into effect in May 2018 in the UK via the Government’s Data Protection Bill, bringing a more 21st century approach to the processing of personal data.
The new reforms place more obligations on audiologists to be accountable for their use of personal data. Practices will need to think carefully about the way they deal with clients’ and staff records.
Clients will have more rights such as being better informed about what businesses are doing with their data and having greater access and control over their data. We’ve highlighted a few points for audiologists below but our guide – 12 Steps To Take Now – is really the best place to start.
One of the main changes for organisations will be dealing with subject access requests (SARs). This is a person’s right to access information held about them. The GDPR gives less time to respond to these requests, information must be provided without delay and at the latest within one month. In most cases, organisations won’t be able to charge a fee.
Businesses will need to report certain data breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected.
Businesses will need to be able to show reporting structures, good governance records, who is responsible for what in relation to client and staff information within the business and these records need to be up-to-date and available for the ICO if an incident occurs.
To clarify, the new law will not stop audiologists contacting clients for their businesses’ purposes – you will still be able to remind patients of routine appointments. If you’re complying with the current data protection rules, GDPR compliance will not be too much of a burden but now is the time for all businesses to be making changes.