Understanding GDPR and Data Protection for Businesses
Discover the essential aspects of General Data Protection Regulations (GDPR) and how they impact businesses. Explore key principles of GDPR, the importance of data protection, and the role of technology in safeguarding personal information. Gain insights into legal obligations, individual rights, and measures to ensure compliance with GDPR requirements.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Welcome to Introduction to General Data Protection Regulations (GDPR) with Cavity Dental Staff Agency Ltd
Course Details: GDPR came into effect on 25th May 2018 and all businesses must comply. At the end of this course you will understand your legal obligations and what GDPR means to you. MODULES 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. What is GDPR? 7 Key Principles to GDPR Data Protection Technology Cyber Attacks ICO 11 Steps to prepare for GDPR DCO DP Personal Data Privacy Rights for the individual Your Responsibility
What is GDPR? GDPR General Data Protection Regulation GDPR is there to make companies accountable for collecting, storing and disposing of personal data information. It also gives us, the individuals more control on how companies use our personal information. GDPR can be boring but we must not ignore it. Under the new GDPR the Data Protection Authorities have powers for talking noncompliant companies. They can be fined up to 4% of the worldwide turnover or 20 million, whichever is the higher.
7 Key Principles to GDPR 7 Key Principals to GDPR Lawfulness, fairness & transparency Purpose limitation Data minimisation Accuracy Storage limitation Confidentiality & Security Accountability
Data Protection Data Protection The Data Protection Act (DPA) was passed by Parliament in 1998. This is brought in to control how personal information is used by companies, organisations and the government. It was originally designed to give the individual the legal right to know how their personal information is collected, stored, used and also designed to protect our personal data from any unauthorised access.
Technology Technology Since DPA was introduced technology has changed. How often do we write letters or communicate by calling a friend or family member on a landline? How many people still have a landline telephone? And would even know your own telephone number? How many of us have swapped from physically going into a supermarket or high street boutiques to now converting to online shopping? Technology nowadays takes over most of our daily activities: Internet browsing Mobile phones Online banking Online shopping Social media Every time we log into our computers, we become susceptible to hacking. When we input any personal information into any websites, we become vulnerable again. We must therefore take extra care as there are dangers associated with modern technology and the way our personal data can be misused. To be as safe as possible we need to enlist measures: Encrypted software Anti virus software Use strong passwords and keep them safe DO NOT WRITE THEM DOWN
Cyber Attacks Cyber Attacks In 2018, 500 million personal records were stolen. In January 2019, an online casino group leaked information for 108 million bets, including the customers personal information, deposits and withdrawals. In February 2019, 617 million online account details were stolen from 16 hacked websites that had been sold on the dark web! Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%). The business findings are in line with those in 2017 (when the question was first asked). The charity findings show a rising incidence, from 19 per cent in 2018 (when charities were first surveyed) and 22 per cent in 2019, to 26 per cent in 2020. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before. Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32%, vs. 22% in 2017). There is a similar pattern over time for charities, although the changes across years are not statistically significant. In 2020, a fifth of these charities (22%) say they experience breaches at least once a week. The nature of cyber attacks has also changed since 2017. Over this period, there has been, among those identifying any breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in viruses or other malware (from 33% to 16%). You can read more about this by clicking on the link below. https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020
ICO Information Commissioners Office ICO ICO Information Commissioners Office The ICO is the UK s independent body set up to uphold information rights They are responsible to ensure all data is correctly stored, used and deposed of. If any breaches of data protection occur the ICO must be informed within 72 hours.
11 Steps to Prepare for GDPR 11 Steps to Prepare for GDPR 1. Aware 2. Accountable 3. Communicate 4. Personal privacy rights 5. Access request changes in personal data 6. Team member and patient consent to data processing 7. Processing children s data 8. Reporting data breaches 9. Impact assessments 10. Data Protection Officer DPO 11. Data Controller
Data Controller Officer Data Controller Officer - DCO DCO This is the person who determines how and why you need to process personal data. They are accountable for GDPR. Within a Dental Practice it is usually the Principal Dentist or the Owner. The Practice Manager may also be given a role to play. This person may be given the data protection responsibilities within the practice. Their title may be either Information Governance Lead or Data Protection Lead. Overall though the person responsible and accountable is the DCO. The DCO must always comply with the DPA 1998 and with the GDPR 2018. Respect the individual's privacy and work within the guidance of the ICO.
Data Processor Data Processor - DP DP is responsible for processing personal data on behalf of the DCO. They are responsible for maintaining records of personal information. Data Processing Managers plan, coordinate and supervise activities related to information systems and software applications within a company. Planning, organising and directing data processing activities are the main functions of a Data Processing Manager. The role of a DP could be the Receptionist, Dental Nurse, Dentist, Hygienist, Therapist. Basically anyone in the practice who collects personal information and processes it on behalf of the DCO. You must be able to justify the legal reasons as to why you are collecting this data and how you store it.
Personal Data Personal Data Within the Dental Practice the information collected would be name, sex, address, DOB, GP name and address. Special data collected could include: Medical History Medical & Dental records Ethnic origin Religion Health Sexual orientation Hep B status Personal data should only been seen by those that need to and should not be shared with a 3rd party unless required to by law or to refer the patient to an outside medic for treatment or finance companies. Before referring you must inform the patient you are doing so. You will need their consent to share their data with the 3rd party. The individual must also be informed who the 3rd party is and the reason you will be sharing their data. Processing personal data means to use, store, share and destroy. Most of the time, sharing data will be sent electronically. Patients can transport the data themselves and personally give it to the 3rd party. If you send data electronically you need to ensure protection is in place. Via an encrypted service Anonymously by giving the patient a unique number and sending the name of the patient separately. If you are an NHS practice and use their portholes you will be safe to send electronically. Emails can be hacked so if use this method and GDPR is breached you will need to report it to the ICO within 72 hours. If a member of staff breaches GDPR but fails to inform the Data Protection Officer, they can face disciplinary and dismissal procedures.
Privacy Rights for the Individual Privacy Rights for the Individual GDPR allows an individual to object to processing personal information for marketing, sales, or non-service-related purposes. This means the data controller must allow an individual the right to stop or prevent the controller from processing their personal data. The DCO can refuse the individual access to their records, but it must be lawful and unfounded. The DCO must demonstrate why they have refused. According to GDPR 2018 when an induvial requests access to their records the company has to respond with 1 month. The Data Protection Act in 1998 set their timescale within 40 days response. There is also now NO charge levied to the person requesting access to their records, or even for any copies.
Privacy Rights for the Individual The GDPR provides the following rights for individuals: 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling
Your Responsibilities Your Responsibilities There should be a person in your practice who is there to monitor, inform and advise. They will be responsible for the changes in data protection law and also make all staff aware of the changes. Annual updates and training should be advised. Personal data information should be stored for 11years or for children it will be till they are 25 years old or 11 years, whichever is the longer. According to NHS staff data should be kept for 6 years. Your practice should also conduct risk assessments. These will highlight any risk of GDPR being breached. Some things to consider: What data is collected? How is it stored? How is it destroyed? How long do you store it for? Who has access to the information?
Key things to remember Key things to remember Data Protection Officer is accountable & responsible Data Processor processes data on behalf of the DPO Any breaches must be reported to the ICO Safety measures installed in all software Keep up to date with any changes regarding GDPR