Skip to the content

Follow us @UKAuthority

Facing up to the challenge of GDPR and SARs

08/05/18

Industry voice: Organisations can deal with the new data protection regulation largely by continuing to follow best practice, writes Darren Bassett, head of business transformation at Tisski

There is no reason to panic about the General Data Protection Regulation (GDPR).  It comes into force on 25 May but for any organisation that is already following good practice to comply with data protection rules there should be no cause to fear a sudden shock.

It is a message that emerged clearly from a recent discussion in which I took part with Dawn Monaghan, head of data sharing and privacy for NHS England, and Gurpreet Dhatt, head of programme and projects for NHS Midland and Lancashire Commissioning Support Unit.

While the talk focused largely on the implications of GDPR in health and social care, it produced observations that apply to most parts of the public sector. With participants who have been looking closely at what the regulation will mean for the sector, it became clear that the organisations with something to fear are those that have not taken a good hard look at their existing data governance.

This is despite the lack of definitive guidance from the Article 29 Working Party in Brussels or the Information Commissioner’s Office (ICO) in the UK. That will become available over time, and there will not be ‘big bang’ on the day the regulation comes into force.

“We will take it in our stride,” said Dhatt. “We need to interpret and implement guidance during the summer and think about how we manage requests and comply going forward.”

Limited change

Monaghan made the point there is already plenty of guidance available from the ICO, and that only a minority of the requirements of GDPR are in fact new.

“Don’t panic,” she said. “Make sure that your existing obligations are met, because that is where you will be found wanting on 25 May.

“As a minimum you should be meeting obligations that have been there since 1998 in the revised Data Protection Act, and meeting what has been good practice with the ICO for nigh on 10 years, things like privacy impact assessments, duty of transparency and the data sharing code of practice.

“If you are not following those you need to make sure you’re moving in the right direction to get them under your belt. Then look at what’s new and what you need to be doing.

“It’s an audit of where are we now, where do we need to be, and what’s the plan we’re going to put in place. If the ICO come in and you have a plan you will be in a better place than if you had not done anything.”

Access requests

There will be a particular pressure in the ability to respond to subject access requests (SARs) from individuals for the data held on them. While the panellists doubted there will be a big surge in SARs from implementation day, they acknowledged that a planned public information campaign by the ICO would ensure there will be some to manage.

“Ultimately it’s down to organisations and their local processes,” said Dhatt. “We’re encouraging our users to have systems in place to track requests coming in, how quickly they are responding and what information is being asked for. It’s so we can monitor the trends and compliance.

“It’s about systems, processes and guidance, and how it is implemented on the ground is very much down to local organisations.”

Monaghan pointed out that under general good practice a specific person in an organisation would handle all the requests, but that it becomes more complex in the case of integrated care when there is more than one organisation involved. In this case it should be decided up front which organisation, and preferably which official, takes the lead in handling and collating SARs. This would reduce the danger of multiple requests for the same information bouncing around between organisations.

Build confidence

It is important to get to grips with all this, not just to avoid any future penalties for non-compliance, but to build a confident attitude towards data sharing.

Many public authorities have been cautious over recent years, with anxieties lingering from the controversies over the abandoned national identity card and the NHS care.data programme. They have been getting over these and becoming more inclined to share data responsibly, which is a major element in building better integrated services – now a prime objective in health and social care.

But there is a danger that worries about GDPR could put them back on the defensive and make them ultra-cautious about how they use data. This would be a big step backwards and make it much harder for the care sector and other public services to meet the challenges of the coming years. If they can be sure of their ability to comply with GDPR they can do a lot more to provide better services for their communities.

This would provide a positive note, along with the fact that if an organisation has a proper understanding of the data it holds and how it is being managed it has full control of a major asset. This makes GDPR an opportunity: any public authority that can comply is well placed to use its data to target services more effectively and work in collaboration with others.

It should not be an unwelcome big bang, but a positive stage in the evolution of public services.

For information on Tisski's out of the box GDPR Compliance solution visit: https://tisski.com/compliance-gdpr-solution/

Meanwhile, catch up on the full debate with UKA Live on-demand below:

Register: Library & Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.