Are your simple business processes abiding by the law or unknowingly breaking it?
Why should you care about your client’s data on your computer and who might want access to these details? You’re using a safe, secure and trusted system right? You don’t need to do anything?
In one short sentence yes your client data ( information about clients) is safe and secure with if it is in this platform, because that’s the job of isosconnect takes care of. And that in itself probably doesn't mean so much to you, you might just be using the system because its easy, looks good and means you can conveniently keep most, if not all, of your client/patient and customer data in one place. However, I am here to talk to you about why this platform is not only a great asset to your business, but will be the sparkling jewel in your DPIA. And why a DPIA is something you need to carry out before, during and after collecting and processing data.
So, what is this D. P. I. A? It is Data Protection Impact Assessment. You know the process you carried out before processing the data you collected about your clients. The process that falls in line with the Data Protection Act 1998, superseded by the DPA 2018 version which includes the other four letters often seen as the devil incarnate.
THE G.D.P.R. Arghhh... what?
Keep reading, it does get better, and this is where we help!
Now I am aware the gobbledegook I often speak of confuses many practitioners as these letters may not mean much to you, or they may terrify you like the horror movie you avoid on a Valentine's Day at night.
However they should be of interest and concern, because just like wearing a seatbelt in your car, they are the laws that govern how you are legitimately allowed to process and control data. So, lets start with some phrases, actions, and processes that you are required to abide by under the watchful eye of the Government departments; The Department for Culture, Media and Sport (DCMS), and the Information Commissioners Office (ICO) who are the regulatory body for the laws around data protection.
DCMS have an ‘eclectic’ mix of areas that's for sure and I don’t honestly know why data protection is alongside sport, but hey this is how it is and I’m not here to argue about this, but to explain the who, what and where of data protection for you in simple terms. Or as simple as it can possibly be....
ICO: are the body who can prosecute, fine and sanction businesses for the incorrect processes used to collect, store, and share data. Known as information. They feed up to DCMS in the hierarchy.
Membership or Regulatory Bodies: These are the (sometimes Governing) bodies and registers who oversee the profession that you are in. They create the guidelines and rules of your profession.
The Data Protection Act 2018, (DPA) Processing of Electronic Communications Ruling 2003 (PECR) and THE General Data Protection Ruling 2018 (GDPR EU): are laws that you need to be au fait with in order to control, process and market your business within the frameworks as laid down by the ICO and EU regulations around data (information)
The issue for many of us? We didn’t get taught about these during training. Nor do we fully understand them. I know that when I am often teaching, the rules around marketing lawfully are woefully misunderstood alongside what, how, when, and where of data control policies.
I understand that your profession needed to educate you in ‘how’ to do your work and how to ensure the wellbeing of your client and patients. However, in reality, these organisations are not necessarily on the ball with marketing regulations. They don't often cover what you need to do and why in order to fulfil the obligations of your practice once out of training. There are many organisations who haven’t got this right for themselves, never mind the education of their members.
So here is a quick guide for you, and of course for deeper learning we, at privacy4 have created a community, course and guide to ensure you can protect yourself and your customers, clients and patients:
Data Protection Impact Assessment: is the process by which you collate, design processes and policies around the data you hold, collect, process, share, and delete. It contains the principles of The GDPR and is your evidence of your how, what, when, where and why. You need this as a private practitioner and your organisations need one too. You should read it and know what your obligations are.
This should be revisited and updated every year as a minimum. This is usually overseen by the Data Protection Officer (sole traders usually are this person along with the other roles).
Data protection Officer: is the person responsible for the policies, process, places and people involved in data protection. (DPO)
Data Controller: is the person who makes the decision about how data is processed and gives these ‘rules’ to follow about where, and how the data gets processed.
Data processor: is the person who ‘does’ the processing. I.e. they collect, write, record, type and store the data.
Personal Data: is anything that is tied to a person that could identify them such as their name, address, email address.
When you meet your customer, client or patient in the software, add their details, create appointments, lists, forms, intake questionnaires and so on you are processing, controlling that data and of course as singular practitioner you would be both of these roles and likely your own DPO.
If you need to share that data with anyone for safeguarding, subject access requests, or you delete data for necessary reasons, you should have policies in place that highlight how you do this as the DPO/Controller.
These policies are there to assist you, to help you make lawful decision and are often the most neglected part of a persons practice. Mainly because many of were not taught that we needed to create these for ourselves.
I hope this quick guide supports you in the creation of your DPIA and you feel you understand why you need one. Happy collating!
Catherine Knibbs, CEO of Privacy4
You can find out more at www.privacy4.co.uk