General Data Protection Regulation (GDPR)

We have received enquiries about guidance from BABCP for members about the introduction of the General Data Protection Regulations (GDPR) which came into effect on 25 May 2018. These regulations replace the existing Data Protection Act (DPA) and apply to organisations operating within the EU.

Here we provide a basic guide to ensuring you can work towards GDPR compliance.

The Information Commissioner’s Office (ICO) is the body responsible for policing data protection in the UK. The information provided here is given on the understanding that you must seek further information from the ICO to help you with your compliance. Links to relevant sections of the ICO website are provided.

Does GDPR affect me?

GDPR will apply to anyone undertaking commercial activities. To find out your own GDPR compliance requirements, use the registration self-assessment tool at https://ico.org.uk/for-organisations/register/self-assessment/

What has changed?

There is little change in the core principles of the Data Protection Act and GDPR. What GDPR does however, is ensure that data controllers have more focus on their data collection and usage.

Data subjects will have more rights, including rights to access, rectification, erasure, objection, data portability, restriction and to be informed. Note that not all of these rights apply all the time. More information on rights of individuals under GDPR is at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

What are the Registration fees?

The DPA requires every Data Controller to register with the Information Commissioner’s Office (ICO), unless they are exempt. With the introduction of GDPR, the government has introduced a fee for all organisations registered. For the majority of small businesses, the fee will be £35.

More information on registration and fees is available at https://ico.org.uk/for-organisations/register/

What about Privacy notices?

As a result of GDPR, privacy notices will need to provide detailed information on the type of information you hold, how you collect this, how you use it, who it is shared with and the rights that data subjects have. More detailed guidance on producing your privacy policy is at https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/what-should-you-include-in-your-privacy-notice/SARs and https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

Data sharing

Many businesses and organisations have legitimate reasons for sharing data with third parties in order to operate effectively. All instances where a data controller employs staff or uses third parties to process data, there must be a specific data processing contract in place. Guidance on data processing contracts is available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

Data retention

Perhaps the biggest concern for data controllers is how long to keep data they control. While there is nothing specific in the GDPR about time limits for holding data, it is recognised that data controllers may be bound by specific legal or contractual protocols as part of their normal operation. For example, a public liability insurer will usually require you to hold data for seven years for insurance purposes.

If you work in the NHS or another organisation they will likely have their own rules around how long data should be retained. You should check with your employer. As an independent therapist you should be clear about how long you will retain data for and consider the circumstances this may be needed in future.

Jargon-busting

Data controllers - Someone who is responsible for controlling data stored on living persons is a Data Controller.

Data Subjects - A Data Subject is anyone living who can be identified by data that is collected and processed by a Data Controller.

Data Processors - Data Controllers will often need to use external agencies or employees to handle their data for legitimate purposes. These are known as Data Processors.

Lawful basis for processing – Data controllers must specify a lawful basis for processing each category of personal data they hold. There are six different bases – consent, contract, legal obligation, vital interests, public tasks and legitimate interest. Find out more about the lawful basis for processing at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

Full details of the GDPR and guidance to assist you with compliance is available at www.ico.org.uk