I have a long list of exciting nutritional topics that I’d love to write blog posts on! Trust me this list doesn’t include GDPR for small businesses and dietitians! However I feel this is a really important topic that I’m not alone in thinking/panicking about?
I attended a course yesterday on GDPR as part of my job role in our business partnership Red Pepper Nutrition. Myself and a great group of health care professionals and small business owners looked equally overwhelmed and frightened by the looming deadline and the work involved. On reflection of the day, I feel it will be a great opportunity to have a good spring clean of the data we hold and get a greater understanding of our computer systems and security and most importantly protect the sensitive data we hold as dietitians. That’s right folks – I’m embracing GDPR!
I am by no means an expert in GDPR, quite the opposite in fact! I’m hoping my lack of knowledge will result in a simple and down to earth explanation to encourage others to act and become complaint by 25th May 2018. Also I’m hoping it will encourage others to contribute to this blog post and provide some useful advice to ensure we are all compliant and confident with GDPR come May 2018. So please do add your comments to the bottom and correct this post where necessary. I’ll edit this blog post regularly as a way of supporting each other.
**Dear businesses that want to sell us GDPR related products or services – please add an advert to the comments section, spam will not be approved!**
What is GDPR and why does it affect small businesses and dietitians?
GDPR stands for the General Data Protection Regulation and applies to anyone who holds data on someone living within the European Union (EU). All small businesses should have been following the data protection rules to date, however they come into force May 2018 with some hefty fines from those who breach them. Given the last data protection act was published back in 1998 (20 years ago!), the need to update these regulations and protect the public’s data is really important and relevant to us all as consumers and professionals.
As health care professionals we are handling sensitive information, therefore we need to gain explicit consent to gain, store and safely destroy this information.
So from the ICO 12 steps to take now!
Step 1 – Awareness of GDPR!
If you’ve read this far, then you’ll have already ticked this one off the list – Well done!
Step 2 – Information you currently hold (also called Information Asset Register and IT assist register – I think!)
This is prioritised on my to-do list for February 2018!
What information do I currently hold and where do I hold, process and store it? What paper documentation do I keep? How long do I keep it for? How do I destroy it? What 3rd party apps/clouds do I currently use? What information is sent via email? What email addresses do I store? Do I store information on the cloud? What devices (phones, computers, photocopiers, scanners, diaries) are subject to GDPR? What information do I have on social media and websites?
Step 2 – Information Audit
Again prioritised for February 2018!
Are all the above methods safe? Password protected and passwords safely communicated? What happens if the information gets stolen/intercepted? Are 3rd party apps/clouds GDPR compliant? How do your clients consent to treatment, how do they remove consent? Is everyone involved in the company GDPR trained? What happens if there is a data breach? Anything else?
Do policy documents need to be written for the above?
All data breeches of sensitive information need to be reported to the ICO within 72 hours from May 25th 2018 – prevention is always better!! Risk assess potential data breeches as part of the audit?
An interesting website to check if your biz and personal email address has been compromised in a previous data breech! We were advised to change our email address if this has occurred. Could anyone advise further?
I’ll leave it there for now! Hopefully that’s enough to help you to get a GDPR action plan together?
(Added 8/02/18) March to do list – Write a privacy notice for all clients to discuss what information we hold and the legal and professional basis we have to hold this information.
(added 16/02/18) Listened to some interesting podcast on ‘The GDPR Guy’ about GDPR
Please do add comments and questions and let’s support each other through this!