What is the GDPR?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and replaced the Data Protection Act 1998 (DPA). As an EU regulation, it was directly applicable in the UK and did not require implementing. However, it gave Member States limited opportunities to make provisions for how it applied in their particular country and the UK Government took advantage of this option to introduce the Data Protection Act 2018 which adds details such as penalties for non-compliance.
As the Brexit process continued, it became apparent that the UK would need a regime closely based on the GDPR once it finally left the EU and the Government’s answer was to adopt the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which created the concept of UK GDPR — essentially mirroring the EU original but with changes such as replacing references to the European Commission with details of the Information Commissioner's Office (ICO).
As the two are in most requirements essentially the same, it seems likely that most people will continue to refer to the GDPR, rather than UK GDPR.
Why do you need to take action?
Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.
What do you need to do as a social care provider?
You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As a social care provider, you are a data controller (you are processing personal data) which means you must register with the ICO.
Compile a “catalogue” of all the information that your provision holds and processes, often referred to as an Information Asset Register. This will include:
Is it personal or sensitive?
How is the information stored?
Is it shared or transported, and if so, how is this done?
Is the information included in a retention schedule?
How long are you keeping it for?
Find a template Information Asset Register here which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example, admissions forms, care plans, medication forms, accident records, etc.
You also need to document your data processing. Use our GDPR Personal Data Processing Record — see the Worked Example for how to complete this.
Write a privacy notice. [This should include the following.
The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).
Who is collecting it and how (paper forms, electronic forms, etc)?
Why is it being collected?
How will the information be used?
Who will you share the data with (this will include healthcare providers and local authorities if there are safeguarding issues)?
Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?]
Find a template privacy notice here .
Update your data protection policy.
Download this GDPR factsheet to check and demonstrate your compliance with the GDPR: Employer Factsheet: General Data Protection Regulation — GDPR.
Ensure that your employees are fully aware of their rights and duties under the new legislation by sharing this factsheet with them: Employee Factsheet: General Data Protection Regulation — GDPR.
Train your staff. Everyone working for you, including permanent staff, volunteers and work placement students all need to have completed GDPR awareness training and have a good understanding of your policies and procedures. Find a GDPR Staff Awareness Training Presentation here to fulfil your training needs.
Download this GDPR checklist to check and demonstrate your compliance with the GDPR.
Other useful documents
The General Data Protection Regulation — feature article