The General Data Protection Regulation (GDPR) is about the processing of personal data. It applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified. This includes all manual and automated processing of personal data. It is for those who have day-to-day responsibility for data protection.
The ICO explains the provisions of the GDPR to help organisations comply with its requirements.
Who exactly does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A ‘controller’ determines the purposes and means of processing personal data.
- The ‘controller’ shall be responsible for and be able to demonstrate compliance with the principles.
- A ‘processor’ is responsible for processing personal data on behalf of a ‘controller’.
- As a ‘processor’, the GDPR places specific legal obligations on you. As an example, if you are required to maintain records of personal data and processing activities, should a data breach take place, you will have legal liability if you are responsible for the breach.
The GDPR refers to sensitive personal data as ‘special categories of personal data’. Health, racial or ethnic origin, religious or philosophical beliefs, genetic data and biometric data, sexual orientation, are all classed as special categories.
Preparing for the General Data Protection Regulation
As you may be aware, it is compulsory to ensure that you collect and store confidential data and client contact data in accordance with the GDPR.
Healthcare providers fall into the ‘Special Category’ of processing sensitive personal data. The regulations apply to personal data, which includes:
- Medical information
- Email addresses
- Posts on social networking websites
- Computer IP addresses
We aim to make the GDPR easily understandable, transparent, easy to implement and easy to keep up to date. These are the areas we will cover:
- Map Information Processes
- Creating an ‘Opt-out’ area for all correspondence
- Consent Form – updating your original template
- Privacy Notice for your website
- Privacy Impact Assessment
- Updating Terms and Conditions and Information Notices
- Associate Agreements updated with GDPR wording
- Sharing data with other Data Controllers
- How to deal with Breach Notifications
GDPR for Therapists, Psychologists & Case Managers
Interested in our GDPR Data Protection Compliancy Action Plan? This is what it includes:
- Understanding the implications of GDPR Data Protection compliancy, your mandatory obligations and personal data best practice in relation to your independent therapy practice or brain injury case management company;
- Looking at all information assets both manual and electronic. For example, manual files, documents held on computer, every piece of paper that has identifiable personal details recorded. Making sure areas in relation to consent forms, terms and conditions and associate agreements are all compliant with GDPR regulations;
- The Compliancy Action Plan includes mandatory formatted templates, consent forms, privacy policies, information notices, privacy impact assessments, data breach registration forms and audits;
- Support in making sure you identify the risks to personal data and are able to put in place the necessary controls in order to protect your data both internal and external;
- We will go through all the questions to complete each section of the plan, including each of the forms, policies, assessments, tables and templates and how to implement them;
- At the end of this process you will have a completed GDPR Compliancy Action Plan specifically for your independent therapy practice or brain injury case management company.