GDPR guidance
NCHA guidance
The National Community Hearing Association has published guidance on GDPR for community hearing practices and what needs to be done to prepare for the changes. The guidance is in two parts: part one provides you with a basic overview of new data protection rules and what is changing; part two explains what steps you can take now.
The guidance – which was revised in July – will help you to:
- understand key changes to data protection rules;
- review and make a record of all the personal data you hold – helping you demonstrate compliance with the new rules;
- understand key definitions and roles, and what this means for your practice – helping you comply with the rules in a proportional way.
BSHAA GDPR WEBINAR
FAQs
The ICO has published a series of Frequently Asked Questions aimed at small businesses in January to help them prepare for the GDPR. The health FAQs are designed to specifically answer questions for health organisations and businesses, including hearing practices. The FAQs are available at www.ico.org.uk/for-organisations/health/health-gdpr-faqs.
Why audiologists must get ready for new data protection law
A big change in data protection law comes into force in May 2018 – if you’re responsible for people’s personal information, which most audiologists are, you need to be preparing for that change now.
New legislation called the General Data Protection Regulation (GDPR) will come into effect in May 2018 in the UK via the Government’s Data Protection Bill, bringing a more 21st century approach to the processing of personal data.
The new reforms place more obligations on audiologists to be accountable for their use of personal data. Practices will need to think carefully about the way they deal with clients’ and staff records.
Clients will have more rights such as being better informed about what businesses are doing with their data and having greater access and control over their data. We’ve highlighted a few points for audiologists below but our guide – 12 Steps To Take Now – is really the best place to start.
Individuals’ rights
One of the main changes for organisations will be dealing with subject access requests (SARs). This is a person’s right to access information held about them. The GDPR gives less time to respond to these requests, information must be provided without delay and at the latest within one month. In most cases, organisations won’t be able to charge a fee.
Data breaches
Businesses will need to report certain data breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected.
Governance
Businesses will need to be able to show reporting structures, good governance records, who is responsible for what in relation to client and staff information within the business and these records need to be up-to-date and available for the ICO if an incident occurs.
To clarify, the new law will not stop audiologists contacting clients for their businesses’ purposes – you will still be able to remind patients of routine appointments. If you’re complying with the current data protection rules, GDPR compliance will not be too much of a burden but now is the time for all businesses to be making changes.
There’s a wealth of materials dedicated to helping businesses including an overview of the legislation, and an updated data protection toolkit for SMEs, giving you the ability to compare what you are currently doing around data protection and what you should be doing under the new regulation.
If you want to stay updated on new guidance, the ICO e-newsletter is a good place to start. As well as the guidance available at www.ico.org.uk, businesses can also call the GDPR helpline on 0303 123 1113 or make use of the ICO live chat service.