The courts are often called upon to sanction treatment for patients whose ability to make...
There are just a few working days now until General Data Protection Regulation (“GDPR”) automatically becomes law on 25 May. The Data Protection Bill 2018, which is currently before Parliament, will replace the Data Protection Act 1998 as the main statute regulating data processing in the UK. The purpose of these laws is to ensure correct management of data in all organisations.
In preparation for the new regime, businesses should already have conducted a review of the personal data they hold, identifying where it came from, how that data is used or shared and the measures taken to protect it. Businesses need to identify the lawful basis or bases for their use of data. They should have appointed members of senior management to be responsible for data protection issues and should be making staff aware of the legal requirements and the processes within the business for dealing with such issues.
Importantly, these policies and decisions should be recorded in writing because if there is a breach or a complaint is made to the Information Commissioner’s Office (“ICO”), a business will need to demonstrate to the ICO that it has taken reasonable steps to comply with GDPR.
Additionally, businesses will need to review their contractual arrangements. Where data is shared with a third party, there should be a data sharing agreement. Privacy policies may need to be updated so that clients and/or others are informed, in clear terms, about how their data will be used and if it will be shared with third parties.