Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

The Healthcare Sector vs GDPR: Its everywhere but is it as bad as we are being told!


By Adam Hutchison

The year is 1999! The fear factor of the millennium the year 2000 fast approaching – Y2K is everywhere. Will your Windows PC open on the 1st January 2000…?

Does this sound familiar to anyone! Yes, and did everything fall apart around us? Well No… it was all fine and we all went about our business, well at least those who did not spend a fortune on new processes they didn’t need and hopefully many used some common sense and a bit of pragmatism.

Ok so this leads us into 2018 and the release of the General Data Protection Regulations or GDPR as we have seen referred, and has begun a similar frenzy of fear for organisations and none more so than the Healthcare Sector. As with many care providers in a data heavy and still paperwork intensive organisation, which relies heavily on the use of personal data the relevance of GDPR is very prevalent although we all need to be aware of the fear to turn to unnecessary external measures. The sector is already heavily regulated so understanding what these regulations and how they link into our current regulatory requirements is import.

There is much information available on the subject but the source information is the most important so make sure as providers you review the Information Commission website this is the best place to stay up to date at

So what do we need to be aware of and how does it affect the sector:

Well, Become Accountable:

Make an inventory of all personal data you hold and examine it under the following headings:


  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties and on what basis might you do so?

This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business. The inventory will also enable organisations to amend incorrect data or track third-party disclosures in the future, which is something that we may be required to do.

Now all of the above can seem rather daunting we all may feel but the simplicities are as an organisation we must ensure we can justify what data we have and why we are using it. The purposes are clear but as with all regulations its evidencing our ability to be compliant.

For the Adult Social Care sector more specifically within this remit it is ensuring that contracts with families and residents information has a clear message as to why the information is held. And more importantly who has access to it. No longer can there be a relaxed approach on ensuring that the data held is clear and used for the intended purposes.

Data is increasingly becoming an important tool for the care sector business to process effective outcomes. The data regarding individuals and the constant to accumulation of said data is vital to ensuring people are cared for in a person centred way. Therefore there is certainly requirements for personal data and that of GDPR will certainly soon be added to the agenda of the regulators in terms of identifying needs for the data held, so we have to make sure the regulations are fully understood.

There are of course now the opportunities of GDPR are there to build the trust crucial to enable the digitisation of health services. There is huge potential for technology to transform the health and care industry but it will not be successful if providers do not trust suppliers and providers of healthcare with their data. The value in GDPR could be to catalyse organisations to fix some of their operational limitations in order to gain a clearer view of personal data.

This will enable better service delivery and result in better outcomes. Companies should also consider re-thinking their data relationship with customers to secure trust, transparency and confidence. Providers should be due diligent and make teams aware of what is required – there is plenty of information out there and some really useful online training sessions but by getting the information right first time and being aware of the changes will put your business in the right place come May 2018 when the GDPR changes come in.


Comments are closed.