Health Real Estate Tip of the Week: EU General Data Protection Regulation – Are you ready?

Health Real Estate Tip of the Week: EU General Data Protection Regulation – Are you ready?'s Tags

Tags related to this article

Health Real Estate Tip of the Week: EU General Data Protection Regulation – Are you ready?

Published 8 February 2018

The NHS handles a large amount of personal data on a daily basis. The definition of personal data goes well beyond confidential and sensitive information, which means that you are likely to collect personal data while managing the NHS property portfolio. For example, you may gather and store information about tenants, landlords, employees and agents as a part of your normal operations. This might be collected as part of a manual process or be entirely automated. Obvious examples of personal data include names, addresses (email and physical), telephone numbers, DoBs and bank details for regular payments such as rent.

Current data protection law already imposes obligations on how organisations must manage this data and includes significant sanctions for non-compliance. However, the law will be significantly strengthened on 25 May 2018 when the EU General Data Protection Regulation comes into effect. Despite the name it will continue to apply following Brexit and will: 

  • Impose greater obligations on organisations that process personal data; and
  • Change the risk profile of data protection compliance; and
  • Give individuals enhanced rights that are easier to enforce.

The new regime imposes:

  • A requirement for data handlers to notify the Information Commissioner’s Office and affected data subjects of data security breaches in certain circumstances;
  • Fines, of up to 4% of annual worldwide turnover, or EUR 20m whichever is the highest, for breaches; and,
  • Simpler rights for affected individuals to claim compensation for non-financial damage, with claimant firms still able to claim success fees from defendants (the Jackson reforms do not apply to privacy proceedings).

Public sector organisations are not exempt from these requirements and may therefore be sanctioned for breach. You should review the extent to which you need to prepare for the new regime (including developing or updating a suitable response plan to deal with any data breach).

DAC Beachcroft’s cyber and data risk team can be contacted to assist now or in the event of a cyber incident or data breach on 0800 302 9215 or DataRisk@dacbeachcroft.com.

Authors

Madeline Ball

Madeline Ball

London - Fetter Lane

+44 (0)20 7894 6286

Stan Campbell

Stan Campbell

Bristol

+44 (0) 117 918 2179

Andrea Proudlock

Andrea Proudlock

Newcastle

+44 (0)191 404 4098

< Back to articles