Data Privacy Consultancy and Information Security Software provider join forces to help dental practices meet their obligations under the GDPR to appoint a Data Protection Officer
VaultConnect initially started looking at the challenges faced by Dental Practices offering NHS treatment after a meeting with advisors to the profession back in May. This resulted in Richard Higginbotham being invited to present to 160 General Dental Practitioners at a meeting in Manchester in May in order to answer their questions about the GDPR. At this meeting it was clear that while Dentists were well informed about information governance, the new regulation presented some significant challenges.
Richard Higginbotham answering questions from an audience of 160 General Dental Practitioners on all things GDPR in May 2018
The General Data Protection Regulation (GDPR) places an obligation on all Public Authorities to appoint a Data Protection Officer (DPO).
The definition of a public authority within the Data Protection Act 2018 includes not only the national, county or city governmental agencies, but also the NHS itself, local authorities and – significantly – dental practices.
Where many practices are small – with typically maybe two dentists, a receptionist and a couple of dental nurses – it can seem impossible to meet the requirements.
The Data Protection Officer (DPO) can be an existing employee, BUT there must be no ‘conflict of interest’ meaning a conflict with other possible tasks and duties. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. This will rule out a dentist or nurse.
The BDA tried, but ultimately failed in their attempts to have government overturn the requirement for a DPO. They reported practices being quoted sums up to £15,000 to provide outsourced DPO support. The BDA advise that a DPO should be in place by 24 May 2018, but does not believe that practices that do not have a DPO in place on 25 May 2018 are likely to face penalties if they are taking steps to get a DPO in place as soon as possible.
As the BDA found, an Out-Sourced DPO is an option, but expensive. We know, we also scoured the industry in looking for partners to create the scheme. The typical hourly rate for an outsourced DPO ranges from £150-£200 / hour and the minimum requirement of time for providers we found was 3-4 hours per month.
Another way around the conflict of interests would be for General Dental Practitioners (GDPs) to ‘buddy’ – operating as a DPO for each other. But this is not without it’s challenges. From the ICO’s definition, the DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. The requirement for expertise means practitioners must be trained. We scoured the industry again and found:
- The appropriate level of training to be a DPO ranged from 1-3 days
- Whilst there were some ‘free’ courses (there was a requirement to pay to verify that training had been completed and understood with a certificate) the typical price was £2,500+ exclusive of VAT
- Courses were generalist and didn’t focus on the needs of a small health practice
So to ‘buddy’ with training alone might be a saving against 12 months of a minimum of £450 + VAT per month, but would still cost £3,000 and would leave GDPs having to figure out for themselves how they operate the buddy system.
We set out to design a better way. Delivering the knowledge, providing support and ensuring compliance. We found a partner in Data Compliance Doctors who aren’t just qualified, they’ve been at the cutting edge of the data industry and have many years experience and knowledge challenging privacy regulation on behalf of clients for credit bureaus, in financial institutions, for marketing and for central government.
We created a framework that uses some of the principles of ISO27001 (information security management) – particularly the risk assessment and ongoing review – to enable multiple different small organisations to work to a standard.
We designed a training programme and toolset that would enables GDPs to get compliant, demonstrate compliant processing and maintain records of their compliance efforts. This system also supports the requirements for dealing with Subject Access Requests and handling Data Breaches.
Lastly, we recognised that a small dental practice needs to be able to focus on its patients. So the scheme provides a ‘master’ DPO who provides a programme of continuous education and emergency on-call support.
Most importantly, by helping GDPs to work together as a group it brings the cost down substantially to a fraction of the other options.
In developing the scheme we’ve engaged multiple advisors and best-practice / compliance experts within the dental sector and they support our approach. Read this viewpoint on GDPUK.com
The scheme launches late September 2018. Training will be rolled out in groups and, to ensure maximum support – as well as to help us engrain our professionals in the needs of the sector – our expert ‘master DPO’ will act as named DPO for practices in the initial training cohorts.
Find out more about how the Dental Practice GDPR Compliance Scheme works and how it solves the challenges for appointing a Data Protection Officer here>