General Data Protection Regulation (GDPR) and Data Protection Bill

You may already be aware of the upcoming introduction of the General Data Protection Regulation (GDPR) and Data Protection Bill, due to come into force on the 25th of May 2018.

The GDPR and Data Protection Bill jointly replace the Data Protection Act 1998.

Therapist are likely hold or be partly responsible for holding and processing personal data about individuals, and are therefore required to adhere to data protection regulations.

We would therefore like to share some useful guidance and information that will assist you in reviewing how you currently manage and store your data.

The below 12-point GDPR checklist was put together by the ICO, and while some of the steps may seem pitched at organisations with multiple members of staff and therefore not therapists in private practice, the general advice applies to all those who process data.

A Summary of the Information Commissioner's Office's 12-point GDPR Checklist

Ensure senior/key people are aware of GDPR and appreciate its impact

Document any personal data you hold, where it came from, and who you share it with. Conduct an information audit if needed.

Review your privacy notices and plan for necessary changes before GDPR comes into force.

Check your procedures cover all individuals' rights under the legislation - for example, how you would delete personal data or provide data electronically in a commonly used format.

Plan how you will handle subject access requests within the new timescales, and provide any additional information.

Identify and document your legal basis for the various types of personal data processing you do.

Review how you seek, obtain, and record consent. Do you need to make any changes?

Put systems in place to verify individuals' ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.

Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Adopt a 'Privacy by Design' and 'Data Minimisation' approach, as part of which you'll need to understand how and when to implement Privacy Impact Assessments.

Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within your organisation's structure/governance arrangements

If you operate internationally, determine which data protection supervisory authority you come under. For more detail on each of these 12 steps, refer to the ICO guidelines here.

Some Useful Links

Please find below a list of links that you may find useful:

Resources and Support from the ICO: https://ico.org.uk/for-organisations/resources-and-support/.

A document outlining action expected from health and care organisations in 2017 to 2018 to implement recommendations by the National Data Guardian has been published here: https://www.gov.uk/government/publications/data-security-and-protection-for-health-and-care-organisations.

The ICO publishes on its website a Guide to GDPR, which includes useful tools on 12 steps to take now and getting ready for GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.

The EU provides a website which contains guidance and public information about GDPR: https://www.eugdpr.org/.

The UK Government has published a Data Protection Bill (see next section for details) and says it will publish a number of factsheets on the Bill. A factsheet setting out an overview of the Bill has been published: https://www.gov.uk/guidance/data-protection-bill-overview.

The Government has published a Data Protection Bill and says that data laws will be made fit for the digital age: https://www.gov.uk/government/news/data-laws-to-be-made-fit-for-digital-age.

Please note that the National Counselling Society cannot provide bespoke advice on GDPR compliance. We recommend contacting the ICO directly if you have any questions related to your particular requirements, as they are best placed to provide guidance and assistance.

The ICO also have an advice service dedicated to helping smaller organisations prepare for GDPR: https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/.

We do hope that this information is of some use, and that it will help you to plan your data protection plans for the upcoming introduction of GDPR.