UK Data Protection Changes (EU General Data Protection Regulation 2016 or GDPR)
The EU General Data Production Regulation (GDPR) was approved in 2016 and came into law in the UK on 25 May 2018. It replaces the Directive that is the basis of the UK Data Protection Act 1998, which has been replaced by the Data Protection Act 2018. It is expected that the provisions of the GDPR will remain in force post-Brexit.
Although in general the principles of data protection remain similar from the previous Act in 1998, there is greater focus on evidence-based compliance with specified requirements for transparency and openness of the data we process in King's College Hospital NHS Foundation Trust (the Trust), demonstrating compliance and delivery of the rights for individual data subjects (you) while reducing the risk of considerably stronger penalties for non-compliance.
The GDPR introduces the principle of ‘accountability’ that requires us to be able to demonstrate compliance. The key obligations to support this include:
- The recording of all data processing activities identifying the lawful justification and data retention periods
- Routinely conducting and reviewing data protection impact assessments where processing is likely to pose a high risk to individuals’ rights and freedoms
- Assessing the need for data protection consideration at an early stage, and incorporating data protection measures by default in the design and operation of our information systems and processes
- Ensuring demonstrable compliance with enhanced requirements for transparency and fair processing, including notification of rights
- Ensuring that data subjects’ rights are respected. This includes the provision of copies of information held by the Trust, rights to rectification, erasure, to restrict processing, data portability, to object, and to prevent automated decision making.
- Notification of personal data security breaches to the Information Commissioner
- The appointment of a suitably qualified and experienced Data Protection Officer
The GDPR and the new UK Data Protection Act 2018, requires us to take specified actions, and have evidence to demonstrate that we have done so.
The Trust must comply with the new law and in many areas its “spirit” of transparency and openness. At this time the Trust is working extensively to support implementation of the new Data Protection Legislation, but has recognised that across our services we have some areas where we are unable to comply at this time (based around technical capabilities of our systems and procedures) but continue to seek solutions to do this within reasonable time.