GDPR – Is it time to panic? What you need to know
May 07

GDPR – Is it time to panic? What you need to know

We’ve heard about the impending legislation that’s shaking up the marketing and business worlds and causing all of those “We’re updating our databases” letters and “privacy notices” that keep dropping through our letter boxes, but what does it mean for you? Also, what changes do you need in your CRM or LIMS software to make sure you are compliant. The date that the changes to the data protection law come into force is 25th May 2018, which is very close now. So, we need to be sure about what changes we’re making and who needs to make them if we’re to stay legal.

Is it time to panic? Well, it depends on how much preparation you’ve already done but even if you haven’t done much about it yet, don’t give up. You need to get your thinking caps on quickly but it’s not too late.

What’s it all about?

Let’s get one thing straight, GDPR is a good thing.

The laws governing how businesses store and process personal data are being tightened up to drag them into the 21st century. The main aim is to clarify ownership of that personal data. It’s owned by the person to whom it relates and they are having their rights clarified in law. This will benefit all of us in our general lives.

In the medical research industry we’ve been very hot on informed consent for several years due to the Human Tissue Act – although the Data Protection Act is also applicable and GDPR is an extension of the DPA. So, in theory, if we’re operating best practice then this won’t be a radical change.

What about BREXIT?

The General Data Protection Regulation (GDPR) (EU) 2016/679, while being a European Union regulation is being enshrined in British law. It will be law in May 2018 and it’s very unlikely to change after BREXIT. If we don’t keep it then no EU countries will be able to share sensitive data with a UK institute and that’s bad for UK research and UK business.

The main points

The main changes are that all personal data collection and processing must be opt IN rather than opt OUT and individuals have much more control over how their personal data is used.

The rights enshrined in the law are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

What’s the minimum you need to do?

  • Check online guidance – there’s a lot of good stuff online, starting with the Information Commissioner’s Office
  • Know your responsibilities
  • Update your Standard Operating Procedures

It’s worth talking to your CRM database, LIMS or clinical management system supplier. Or look at implementing a new system. Using Excel or self-built systems can be a false economy as compliance can become very time-consuming. In addition, the responsibility for data management, auditing and encryption/anonymisation lies with you.

With a bit of focus you can get your processes tightened up and be compliant in time for the deadline. But don’t forget about it thereafter. Compliance gives the additional benefits of clearer processes and better data quality. So you can look at it as a win-win!


About The Author

Gary Rooksby has over 25 years’ experience implementing and evolving corporate systems including manufacturing and quality systems for a range of major clients such as the MOD. For the last 18 years Gary has specialised in Sample Management Software with emphasis on process optimisation and data management. Gary works in partnership with clients and draws on his wealth of experience to help institutes and their teams to maximise the benefits from new and upgraded systems. Business needs are constantly evolving, and Gary loves the changing challenges. Gary always focuses on delivering value to the users, whether that is financial, scientific or simply easing workloads. He believes that the system is never an end in itself; it is a tool to help the users achieve their goals and that principle is always at the heart of any system or data designs.