More than four months since the European Union began enforcing its General Data Protection Regulation, almost one-fifth of organisations aren't confident they could pass their first GDPR audit, according to a recent survey from cybersecurity company Imperva.
Compliance continues to be a point of concern, especially following health insurance company Bupa’s recent fine for £175,000 by the UK Information Commissioner's Office over “systemic data protection failures”, after a rogue employee extracted data of more than half a million customers and put it up for sale on the dark web.
The incident occurred before GDPR came into force and was under the UK Data Protection Act 1998 but the ICO now has the power to issue fines of up to €20m or four per cent of a firm’s global turnover for the previous year (whichever is greater) under GDPR.
“You have to remember why GDPR caught so many headlines initially,” said Saif Abed, European Commission cybersecurity expert and founder of health IT consultancy firm AbedGraham.
“If you take a step back and look outside of healthcare, a big part of it was around the scope of the fines, how large they could potentially be and also the range of expectations involved in terms of consent around people’s data: how it’s being used, what happens if it’s misused.
“Now, if you apply that to healthcare, I would suggest that healthcare organisations have been relatively proactive in trying to address what is in their scope of responsibility and what should be their approach to becoming compliant to GDPR. Would I suggest that every organisation is perfectly compliant? Well, I think that would be extremely unlikely and unfair to expect that."
In April, the NHS IT agency introduced a new online self-assessment platform – the Data Security and Protection Toolkit. It allows organisations with access to NHS patient data and systems to measure their performance against the National Data Guardian’s 10 data security standards, including a tool that providers can use to report a notifiable personal data breach within 72 hours of discovery, as required under GDPR.
NHS Digital has also released data indicating more than 9600 organisations across health and social care have started using the new toolkit, with 272 organisations completing and publishing their self-assessment.
“What’s really important about this is that it’s aligned with the Caldicott [National Data Guardian] standards, and that is much bigger than data confidentiality, it is a lot more contextualised, it’s a lot more relevant. It’s based on reporting and reviews, security and information governance practice within the system over many years,” Abed said, emphasising that the most important focus is ensuring people are aware of how their data is being gathered, used and shared.
“I think that’s actually the most important part of GDPR: It’s the sheer level of transparency creation that it is aiming to generate.”
Meanwhile, a recent ICO survey found that although 90 per cent of people in the UK were aware of GDPR, nearly 30 per cent said they “had heard but did not know anything” else about it.
"GDPR needs to be made relatable for each industry that it is a relevant target to. Information awareness campaigns that are easier to digest could be very important," Abed said.
"I don’t know how many people have fully read GDPR. If you have, it is a sizeable document and I would suggest that most people did not read it."
These campaigns have to come not only from the ICO and central government, he argued, but also from leadership at individual organisation level: “It’s a leadership and communication challenge but it needs to manifest from the local level all the way up to national regulatory body level.”
Originally published on Mobihealthnews, a sister publication of HITNA.