General Data Protection Regulation or GDPR was a mandated requirement from the EU governing body. All member states signed up, including the UK, and it was subsequently written into UK law under the updated Data Protection Act 2018. EU GDPR is obviously an EU Regulation. I’m sure I don’t need to tell you that the UK left the EU on 31 December 2020. So, what’s changed and how does this affect therapists in private practice?
First, a quick recap…
What is Personal Data?
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations
GDPR sets out 7 key principles around the collection, control and management of data:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
5. Storage limitation
6. Integrity and confidentiality (security)
More details on these principles can be found here.
As of 31 January 2020, the UK implemented a very similar version of GDPR. This is known as UK GDPR, while the GDPR governing the EU is known as EU GDPR. The good news is, the processes, policies and procedures you are currently running in your practice are unchanged by the UK’s exit from the EU if they previously complied with EU GDPR.
Although the two regulations are very similar, there are certain differences that have been set out in the UK Data Protection Act 2018. These are to do with national security, crime and legal proceedings, and other types of special data categories. Reviewing these in the main I see only one difference that is perhaps key for therapists to be aware of. EU GDPR states that a child can consent to data processing at age 16, while the Data Protection Act (DPA) sets this at 13.
The UK government is committed to maintaining the same high standards of data protection and is unlikely to deviate substantially from EU data protection approaches and mechanisms going forward.
Data Flowing To and From the EU
Data to the EU from the UK – At this time, the UK GDPR recognises the EU data protection as ‘adequate’ in terms of safeguards. This will be reviewed over time but for the moment there are no restrictions in place so data can flow freely.
Data from the EU to the UK –The EU has agreed to delay any transfer restrictions for four to six months (known as the bridge). This means that data can flow freely for the time being. The EU will make something known as an ‘adequacy decision’ – a formal decision made by the EU which recognises that another country provides an equivalent level of protection for personal data as the EU does. A draft decision by the EU has stated that it regards the UK data protection standards as ‘adequate’ to its own. This will need to be ratified by the EU member states.
What About Cookies, Marketing Emails & Medical Records?
The Privacy and Electronic Communications Regulations (PECR) sits alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications covering marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They continue to apply.
The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed upon.
If you keep medical records you need to be registered with the ICO
What is the ICO’s Role Now?
The Information Commissioners Office or ICO remains the independent supervisory body regarding the UK’s data protection legislation. They have some good resources to support you in keeping up to date with GDPR here.
Help, I’m Still Confused!
If you are struggling with GDPR compliance and don’t know where to start, Pocket Site has put together some helpful packs to get you started. We also put together a comprehensive blog post answering more therapist questions check it out here GDPR Therapist Questions Answered