GDPR – Part One. The new Millennium Bug?

Posted by Katrina on 29/01/2018

If it hasn’t already happened to you, it will! Over the next few months you’ll be approached by numerous people who will offer, for a fee, to guide you through the demanding processes of compliance with the EU’s General Data Protection Regulations (GDPR).

“Aargh”, you may say as you read the doom-sayers’ predictions of harsh fines, imprisonment or both, “here comes yet more compliance pressure on my overworked vet practice team!”

However, you should be reassured by the Information Commissioner’s statement that anyone, or any organisation, which already complies with the existing Data Protection law is well on the way to achieving compliance with the new requirements.

First, a little clarity. GDPR was issued by the EU in May 2016, giving all Member States two years to comply. So, 25th May is when its provisions will apply in the UK. However, each country has a little freedom to amend a few details and the UK Government has also decided to tidy up and tighten up on the existing law (the Data Protection Act 1998).

On 25th May there will be a new Data Protection Act 2017. This will encompass the GDPR requirements and the draft legislation is currently lumbering through Parliament. The House of Lords has been debating it since October and it will go to the House of Commons in January to begin yet more detailed review. It probably won’t get the Royal Assent until sometime around Easter.

Although we don’t absolutely, 100%, know what the final version will look like, we do have some knowledge. Much of the discussion will not really be relevant to the veterinary industry as the GDPR, like its predecessor, typically doesn’t cover any information related to animals.

However, don’t forget how easily sensitive files can be transferred around with email, CD and USB flash drives. It is still essential that this data is handled securely.

The Information Commissioner’s Office (ICO) has already issued a “12 step Guide” to the GDPR ( which is a useful start to check your current status. As a responsible practice you’ll already be registered with the ICO. Plus, you’ll have a Data Protection Policy and an Information Security Policy, so you’re in a pretty good place already.

It is worth checking some things at this early stage though. Do you get specific and explicit consent from your clients to store their data? Do you have a Privacy Notice that tells clients and prospective clients, for instance on the practice website, exactly what data you hold and who you share it with?

You’ll probably say, “It’s pretty obvious – we keep their personal details and animal health records and, because we know all about professional confidentiality, we keep it all to ourselves.”

OK, but what about your IT system? Is it backed-up in-house? Held in ‘the Cloud’? And, if so, where exactly? Do you send client information to any third parties? Insurance Companies or Simplyhealth Professionals for instance. You can be certain that Simplyhealth has rigorous security but do others? Do you? Is any data taken home or stored on USB sticks or personal computers? Have a good think and do a data audit to look at all the data inflows and outflows.

When you know exactly where all your client and staff data comes from and where, if anywhere, it goes, you have ticked off an important stage in preparing for 25th May.

We’ll look at Privacy Statements and Consent in the next instalment…

To be continued!