The General Data Protection Regulations (GDPR) will come into force on 25 May 2018. Drawing on the information that’s been released so far, we’ve pulled together the key things GP practice managers need to think about with regards to the data currently held about their staff.
FPM members can visit our Toolkit section today to download our guide to GDPR and resources including a sample data map tool.
The regulations require companies to identify and record what personal data has been collected from job applicants and carried through the employment lifecycle – this is often referred to as a data map.
This will cover data kept on HR information systems in the most obvious sense, in personnel files (both electronic and paper), data saved on hard drives and emails - maybe even on work phones and tablets. There isn't a prescribed format for the data map, and it can take a variety of different forms as long as it fulfils the purpose of helping the organisation to determine:
Top tip – Check out our Records Retention Policy in the FPM Policy Library and start reviewing your personnel files, removing all old information that is no longer relevant.
The GDPR requires a detailed record to be kept of personal data-processing activities - the data map can serve this purpose if it contains the necessary information. It can also be used to identify gaps between your current practices and the requirements set out under the GDPR.
Draft guidance from the Information Commissioner's Office (ICO) states that consent will be very difficult to rely on in the employment context. What this means in practice is that when using the data map, employers will have to look at all the different types of data they collect on their employees and, in most instances, determine a different legal justification for processing the data instead of relying on consent.
Article 6 of the General Data Protection Regulation (GDPR) states that processing of personal data will be lawful only if at least one of the following conditions applies:
Practices will need to look at the types of employee data they process and the processing activities they use and then determine which justification or justifications are relevant.
If it's not possible to justify the processing activity with one of the available grounds, the organisation will have to stop processing.
One of the new requirements is that the legal basis for processing personal data has to be shared with employees, along with other information about processing. In addition to this, organisations must be able to prove that they comply with and enforce their own policy.
Practices will have to take several technical and organisational measures to make sure data protection is incorporated into all procedures involving personal data.
This will mean taking the following steps:
The regulations could see companies face fines of up to €20 million or 4% of group worldwide turnover, a very high figure that has turned a lot of heads. The ICO have already said they will not be specifically targeting small organisations, but there will still be an increased risk due to individuals having a greater ability to bring private claims against organisations for breach of the regulations.
This is where the risk is likely to lie for employers, particularly small businesses that don’t have the resources to allocate many resources to the new processes.
Want to make sure you're prepared for GDPR? Award-winning primary care trainers Thornfields have developed a GDPR training course that provides an overview of GDPR, its impact on the NHS, and information on its strategic drivers and potential operational implications.
Hi Sharon, If you would like to give our sales team a call they can discuss this with you further - 0333 240 4010. Thank you. First Practice Management
Hi, I have been trawling the internet for a data mapping support tool without any success unless I want to pay a rather high fee for the software. Is FPM providing a toolkit to help support practices?
A Letter to Myself as a New Practice Manager
1 March 2017
Practices' locum pay arrangements under the IR35 spotlight
15 October 2018
CQC has ‘improved the quality of care’ in general practice
23 October 2018
Pension scheme tax allowance changes a relief for GPs
5 November 2018
Secret Diary of a PM – A GDPR Dilemma
21 November 2018