This blog is part 4 in a series delving into the GPDPR programme to uncover what went wrong, the lessons that should have been learned from care.data and what you will need to do to meet your obligations for GPDPR.  Links to the other blogs in this series can be found here:

• Part 1: Lessons from history – where did care.data get it so wrong?
• Part 2: What lessons can be learned from care.data?
• Part 3: Where could the GPDPR Programme have improved?

What can those affected by GPDPR do now?

For any organisations which may be impacted by the recent GPDPR, all is not lost!  There are some practical steps organisations can take to try and address the concerns and criticism appearing in the media and circulating around social media:

1. Signpost members of the public to the NHS Digital information about the GPDPR
2. Make sure front line staff are aware of the existence of Type 1 Opt Outs and the National Data Opt Out, and understand the difference between the two (although in practice, individuals will often want to opt out of everything meaning they will need to apply both opt outs).

For any organisations that may be planning projects involving personal data, particularly healthcare data, make sure the following form part of your project plan:

1. Scope your project carefully to determine:
   1. What data you will collect (and whether it meet the definition of ‘personal data’ – remember, data which is ‘de-identified’ may still be considered personal data so don’t make the mistake of thinking you’re dealing with anonymised data when you aren’t)
   2. Where the data will be obtained from (particularly if data collected for one purpose is going to to be repurposed for something different or new)
   3. What purposes any data will be used for
   4. Who any data might be shared with or made available to (both within your organisation and outside)
2. Use the DPIA process to assess the aims, scope and proposed approach – do this before any decisions have been made about what you will do or how you will do it so you can respond in an agile way.
3. Prepare to be transparent with individuals and assume that you will need to earn their trust – this may include engaging with people at an early stage and responding to their feedback, publishing your DPIA and communicating your plans.  If you think people might react badly to what you are planning to do, consider why this might be and what you might be able to do differently.
4. Consult with as many people as possible to test your assumptions – most importantly, don’t forget to engage with the most important group: the data subjects whose data you will be collecting and using.
5. Consider what choices people will have around the use of their data and how they can effectively exercise these.
6. Communicate effectively with people – think about the best ways to communicate with different groups and plan to use a variety of methods.  Don’t make the mistake of thinking an update to your website will necessarily be sufficient!

How can 8fold help?

At 8foldGovernance we help you to resolve any potential barriers around the implementation of GPDPR, DCB0129 or any other data protection standards including the Digital Technology Assessment Criteria (DTAC). We will support you to better identify and analyse any problems in your workflow, understand the local architecture and select appropriate solutions that stand the greatest chance of achieving success. It’s what we do. 

From planning prototypes, to medical device certification, governance, cyber security and marketing, we’ve got you covered. Contact us today for a free no-obligation chat to find out more about how we can help resolve your IG barriers, or help bring your innovation to market and achieve success.

Find out more about Our Services.

Do you meet the statutory requirements under DCB0129?

Ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, including having a named clinical safety officer. To find out how we can help, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.