A Series of blogs on GDPR from Dr Paul Cundy (GPC IT Lead) - Republished with permission

Welcome to my first ever blog! 

And what a subject to start with, GDPR, that really racy exciting vibrant energetically enthusing European Data Protection Directive! (the best original text web site to look at the actual words I’ve found is here  https://gdpr-info.eu/)

So lets get the disclaimers out of the way, this is a blog. This is not formal BMA legally approved absolutely set in stone 100% trust your wife and reputation on it stuff, it’s a blog. On the other hand, I’m not Mrs Miggins off the number 93 bus, I’ve been leading GP IT for 17 of the last 23 years.  As to GDPR I’ve read every single word of the final text of Directive, next time you attend a sponsored “IG event” ask who else in the room has done the same. Every day for the last 12 –18 months I’ve read, exchanged, forwarded, replied, commented on or drafted multiple mails and communications connected to GDPR. I’ve spoken at meetings, committees, conferences and in closed sessions. In short I’ve lived, breathed and sweated GDPR for the last many months. So personally I think I have an opinion on GDPR that ranks among others, oh and I’ve also been a founding author of the recently released BMA Guidance on GDPR (https://www.bma.org.uk/-/media/files/pdfs/employment%20advice/ethics/gps-data-controllers-under-gdpr-mar2018.pdf?la=en), which is where this blog comes in, as a supplement to the formal BMA Guidance.

Ok, so you understand this is a narrative, from someone who has an interest and some knowledge of the subject? On that basis lets move on.

What is this blog about and why am I here late at night posting to it?

Well, GDPR is a complex area, and because the law hasn’t even been agreed yet, its a necessarily unclear area. This blog is intended to act as a source of informed comment and a knowledge base. Its going to evolve over the next few weeks so set up your notifications and alerts.

Now its only right that I set the ground rules early; this is not an exchange, this is a dissemination not a debate. What I post here is to be taken locally and used locally. I do not have enough time to reply to the microscopic minutiae of every GP or their staff who wonders what the reflexive pronoun of a sentence within depths of the original Directive about patients rights infers. In short I am not committing to responding to anyone or anything, but I will be happy to respond to any challenges and correct any mistakes. It’s a new world, lets enjoy it, and the protections it provides.

Many ask “Why GDPR?”

 Well the original EU Directive, (full Title for the nostalgic; “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”), as it said on the tin, was written in 1995. Oasis were number one with “Some might say”, I was 38 in my first session on what was then called the General Medical Services Committee. Amazon had only been trading for a year and only sold books, Mark Zuckerberg was 11, another 9 years before he’d go up to Harvard and launch “The Facebook”. The world marvelled at the Blackberry thumb-wheel and Apple would ferret away in their labs another twelve years before emerging with the first iPhone. Uber and AirBNB hadn’t even been dreamt about. In short the DPA was very much pre “social media / digital  revolution” and although undoubtedly ahead of its time there’s no way it could have pre-empted what’s happened since. We’ve come a long way in those 20+ years, much to our very great advantage but not always. Occasionally adverse, our experience of our disseminated digital, direct and instantaneous world demanded a refresh and update. GDPR is that refresh. Its ethos is simple, to provide for EU residents, “respect (for) their fundamental rights and freedoms, in particular their right to the protection of personal data”. Basically GDPR tightens up on many of the elements of the 1998 DPA, enhances the existing rights of Data Subjects (DS) and creates new ones that were not anticipated in the original.  Data Controllers (DCs), in the context of this blog, GPs, get stronger support for declining data extracts as well as new responsibilities and as Data Controllers (DCs) we must comply with the new laws and must be able to demonstrate compliance rather than just be aware of them. Finally, the consequences of non-compliance or breaching have changed.

OK that’s GDPR so what’s this DPA2018 I’ve heard about?

GDPR also allows individual countries some flexibility (derogations) in some aspects of the law and these will be made law in the Data Protection Act currently going through parliament as the Data Protection Bill (House of Commons) which you can track here https://www.parliament.uk/busi... . GDPR will stand alone but will be supplemented in the UK by the new act which will repeal the 1998 and 2003 Data Protection Acts. In this blog “GDPR” means GDPR and DPA2018 taken together.

GDPR becomes law on 25th May 2018, does all of this have to be in place by then?

Well yes and no. Technically yes because it will be the law of the land but in reality unlikely. The ICO has stated “GDPR compliance will be an on-going journey”; and that they will be “proactive and pragmatic” about the “real world” practices find themselves in. If you are already following good practice under the DPA 98 and are taking reasonable steps to implement GDPR using guidance, such as the BMA’s or this blog its unlikely the ICO will be on your doorstep on 26th May, if for no other reason than they don’t have the requisite 10,000 inspectors. You will however need to have at least started a plan and that’s where this blog comes in, to help GPs and their practice managers with that plan. I’m aiming, providing my career isn’t destroyed by the GMC in the meantime, to produce a weekly blog, each one focussing on pragmatic practical stuff that we GPs need and crave.

Dr Paul Cundy

GMC 2582641

8th March 2018