Brexit and NHS data protection: How will GDPR affect healthcare?

The EU’s General Data Protection Regulation will require significant effort to better protect and process personal data and Brexit may not exempt the UK from compliance, writes Dariusz Kasparek

Data Protection Day 2017 signalled Europe’s penultimate alert for businesses and organisations to prepare for stricter rules under the European Union’s (EU’s) General Data Protection Regulation (GDPR). Heavy fines could await those that fail to comply with new rules by the EU’s May 2018 deadline, and the regulations still look very likely to affect the UK, despite the Brexit outcome of 2016’s June referendum.

Regarded as one of the most important changes in data privacy regulation in 20 years, GDPR will have a significant impact on how businesses and other organisations approach and process personal data.

In her first speech as the UK’s information commissioner, Elizabeth Denham said that sufficient digital data flow must be maintained with the rest of Europe after Brexit; and that once the UK leaves Europe it will still need to be deemed adequate or essentially equivalent to GDPR. All organisations, including healthcare, will have to closely examine the way they approach data privacy and security. At the same time a new Network and Information Systems (NIS) Directive will enter into force by August this year as an attempt to boost cyber security across Europe.

In the UK, healthcare has been repeatedly identified as a problematic area for data breaches. The NHS has faced numerous fines and warnings of a “systemic” problem from the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act, whilst stories in the media have continued to emerge of a disproportionate number of reported data security incidents.

The ICO has highlighted one reason for rising health data breaches as mandatory reporting required in the NHS. After May 2018 all sectors will have to report breaches, and it will be interesting to see if this changes the balance between data breaches in NHS and other sectors. Data processors across sectors will soon be obliged to notify the ICO within 72 hours of becoming aware of any breach that has occurred, and violations may cost organisations a maximum of €20m or alternatively, 4% of their annual turnover.

With higher possible fines on the horizon, and patients’ privacy and control over their data still key issues to contend with, healthcare must continually look to find ways to protect and manage patient information, which is some of the most sensitive personal information that exists. Healthcare organisations are being encouraged to take action in order to properly protect the data they store to prepare for the upcoming GDPR.

Some information governance (IG) professionals in the NHS anticipate significant change. Andrew Harvey, head of information governance at one NHS trust, has outlined a series of implications that GDPR may mean, arguing “swingeing revision to NHS IG policies and processes” will be needed. 

At the same time, others have suggested research could benefit from the new regulation, even benefiting from an advantaged position when it comes to processing patient data. 

Pressures in healthcare headlines often focus on budgets, cuts and clinical outcomes. GDPR represents another pressure. But whilst it is anticipated that GDPR will require organisations to appoint a data protection officer to take responsibility for compliance, data security is a cultural issue that goes beyond any one role.

Healthcare staff at all levels are facing increased pressure to remain well-informed about the security of their patients’ digitised data. Healthcare conferences throughout 2016 were reminded of the importance of culture and good data practice at every level in order to safeguard patient data in the NHS, with leadership being key to making this work. GDPR places new requirements on the management of patient data, at a time of immense pressure on the frontline from numerous angles, and at a time of major reorganisation. As leaders take the helm of the evolving and challenging healthcare landscape, data security must be placed high on their agenda.