The EU General Data Protection Regulation (GDPR), in place for over a year now, has raised the bar for data protection compliance for private practices.
Jane Braithwaite and Karen Heaton start a six-part series on what GDPR compliance means for your practice management by examining a range of topics that independent practitioners and their managers need to get on top of.
Let’s start with why it is important to establish a data privacy and security awareness culture in your practice. To do that, it is worth outlining some of the core intentions from the EU’s General Data Protect Regulation (GDPR).
Did you know that data protection compliance covers both data security and data privacy? Many organisations understand security – whether this is the physical or digital security of their practice data.
However, we find that data privacy is not well-understood and it is this aspect of the regulations which require a greater understanding.
So, data security alone is not enough for compliance with GDPR. You need to ensure data privacy is not compromised.
There are many aspects to consider with data privacy. Fundamentally, your practice must continually understand and record:
- What data you have;
- Why you have it;
- Where it came from;
- What you do with it;
- How long do you keep it;
- Where it is stored;
- Who has access to it;
- Whether there is an appropriate lawful basis for using it.