GDPR in the Care sector – what you need to know

On 25th May, the rules around how organisations keep and use data is changing. At McClarrons, we’ve pulled together an overview of what the rules are, and how you can stay compliant.

The new General Data Protection Regulation (GDPR) is an EU rule which will replace the Data Protection Act of 1998 from 25th May. Britain’s exit from the EU will not affect the changes, which have been brought about to give people greater control over their information and how it is stored and used by all types of organisations, including those in the care sector.

As care and nursing homes are more likely to hold sensitive data, it’s especially important that care organisations take note of what GDPR means for them, as a breach could have a notable impact on those whose data has been left vulnerable.

Any fines or investigation from the Independent Commissioners Office (ICO) are dependent on the severity of the breach, and it’s up to you to keep people’s information safe.

Organisations which fail to comply with GDPR risk fines of up to €20 million or 4% of annual turnover, whichever is greater, for the most serious breaches.

What does GDPR say about data?

The principles of the new regulation say that personal data held by organisations should be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up-to-date
  • Kept in a form which permits identification of data subjects for no longer than is necessary
  • Processed in a manner that ensures appropriate security

How to stay compliant

Familiarise yourself with the data you currently hold – You need to review what personal data you currently hold, why you have it, and how you obtained it. These new rules as stated above allow you to communicate information which is essential to the provision of your service.

If you want to continue to send marketing communications, you’ll need to ensure that contacts have actively “opted in” to phone calls, emails, letters or texts.

Focus on security – Encryption sits high on the GDPR agenda as this greatly reduces the likelihood of leaving data vulnerable to exposure. If you demonstrate that prudent measures have been taken to protect the data you hold, including encryption, staff education and anti-virus software, you’re less likely to incur a penalty if there is a breach.

Be aware of new rights – Be prepared for the fact that individuals have more rights when it comes to accessing the data you hold on them and asking for it to be removed. One of the differences between GDPR and the Data Protection Act is that there are no fees for individuals to pay when making a data request.

Understand what represents a breach – A breach goes beyond losing someone’s personal data or leaving their information vulnerable to hackers. It can also relate to unauthorised access or disclosure, loss or complete destruction, and alteration.

Depending on the repercussions, such an incident could be classed as a “serious breach”, and would, therefore, need to be reported to the ICO within 72 hours. An example might be an event which leads to lost medical notes.

A minor may refer to an instance where data hasn’t been compromised (such as sending an email to the wrong person) and so wouldn’t need to be reported.

Update your privacy notices – Your website privacy notices explain the legalities around your need to process data. As there will be greater restrictions on why you hold personal data and for how long, these privacy notices will need to go into much greater detail, but still be easy to understand for your customers.

Under the new GDPR, information within your website privacy notice should include:

  • Why you’re processing the data in the first place from a legal perspective
  • Who you may be sending it to
  • How long you’re holding it for and what determines this period
  • A reminder of the data subjects rights

Do you need a data protection officer (DPO)? – Organisations with over 250 employees dealing with sensitive data will need to appoint a data protection officer, to monitor or process sensitive data.

If you have fewer than 250 employees, you will need to document instances of high-risk processing.

To discuss your responsibilities and how insurance can support you in the face of regulatory action, get in touch with the care team at McClarrons. Call 01653 697055 or email

More Stories