GDPR for Healthcare Professionals – Data Protection Officers

This is the third instalment of our series of blogs on the effects of the General Date Protection Regulation (GDPR) on healthcare professionals. To read the second, Data Subject Rights, please click here.

Who needs a DPO?

The GDPR states that organisations who deal with ‘sensitive personal data’ on a large scale will need to appoint a Data Protection Officer (DPO).

What is Sensitive Data?

Under the GDPR the definition of ‘sensitive personal data’ has changed from the Data Protection Act 1998 (DPA) so it now includes ‘genetic data’ and ‘biometric data’ in addition to ‘data regarding a person’s physical or mental health or condition’ which was included under the current legislation.

What is a DPO?

The DPO will monitor compliance with the GDPR, inform and advise the organisation and its employees on their obligations to comply with GDPR as well as answer any data protection queries employees or patients may have.

Healthcare organisations predominantly deal with such sensitive personal data. Therefore, they will need to appoint a DPO.

The Role of a DPO

The responsibilities of a DPO are set out in Article 39 of the GDPR and include, but are not limited to, the following:

  • Advising and educating the organisation and its employees of the steps necessary to ensure compliance;
  • Training staff and conducting internal audits;
  • Monitoring the organisation’s compliance and performance;
  • Cooperating and acting as a contact point with:
    • the ICO, i.e. reporting breaches; and
    • individuals whose data is processed (employees, patients, relatives etc.)

Who should assume the role of a DPO?

A DPO does not necessarily need to be recruited – an existing employee can assume the role provided that their existing duties do not conflict with those of the DPO.

Importantly, they must have proportionate experience and knowledge of data protection law.

Smaller organisations may prefer to contract out the role or group together to appoint one DPO between them.

Be Ready

Organisations should look to recruit or train a member of staff as soon as possible, to ensure that the individual has sufficient knowledge and experience of data protection law and has had time to implement the necessary steps to comply with GDPR.

If you would like to discuss any of the points raised in this blog, or would like to speak to a specialist solicitor in our healthcare team, please contact us on 0161 926 9969.