Care providers across the UK handle the most sensitive data about people from residents to employees. The GDPR is going to bring much greater scrutiny upon care providers whom are already pushed to the very limit both financially and with time management.
Under the GDPR, much of the data being stored and processed by care providers will be classed as Special Category High Risk Data, this means all data relating to;
- race/ethnic origin
- political opinions
- religious beliefs
- health and medical records
- sexual orientation
- criminal convictions
Is your homes data secure?
Care providers will be required to store all of this data on residents of their services to build a good care plan for individuals and almost all of this data will be required on employees to ensure they have a safe hiring process.
Due to the highly sensitive nature of this data, when there is a breach, it is considered severe by the Information Commissioners Office (ICO) which can lead to greater fines, as discussed in our previous blog, causing further financial pressure but arguably worse than this is the cost to your reputation as a safe provider.
In the world today it is less a case of if there is a breach and more a case of when! For every new security measure there is a new hack and ultimately one employee at some time will click a link on an email that will allow that person to bypass your security.
This does not guarantee a home closing fine!
If care providers can demonstrate that all reasonable steps to process and store that data securely then the ICO may issue no penalty.
So how can care providers ensure that all reasonable steps have been made?
GDPR only applies to personal data that can identify a living person, therefore data that is encrypted will fall outside of this regulation. Speak to an IT expert about the best way to encrypt and secure your computer stored data.
Have a robust data retention policy and stick to it. How long do you need to keep that data? If you are holding sensitive data, do you need to store it after it has been processed? No, then securely destroy that data.
If you need to store that data after processing, for how long? 3 months, 6 months or 10 years? Whichever it is, have a policy and stick to it.
This will all help you show the ICO that reasonable steps have been taken to avoid a breach.