Welcome to the final blog in my series GDPR made easy for counsellors, hopefully you’ve found it useful.
I’m not a lawyer / legal expert I’m just a counselor that has read the guidance on the ICO website, understood it and applied it to my counselling business and tried to break it down into bite size chunks to help others.
Remember as individuals you are all responsible for making sure your business complies with GDPR. To focus the mind fines will apply from 25th May when it will start to enforced. Everything you need is on the ICO website.
Make sure you know the difference between ICO information management and data protection soon to be GDPR
ICO: Register with the ICO if you collect, store or process personal data electronically. https://ico.org.uk/for-organisations/register/
Top Tip Don’t just register with ICO and think you fully comply with GDPR.
What you need to be doing now. GDPR checklist
1. Information audit See blog 3 Data you hold review
· Review the information you currently hold and what the various documents are.
· Don’t forget it’s not just client’s information, it’s all aspects of your business, workshops, newsletter, blogg email list etc
· Decide whether it’s classed as personal data or not. Decide if you hold any sensitive personal data. Soon to be called special category
· Review your secure storage regardless of it being paper, electronic, online.
· .
2. New documentation required
· You need to record in writing (paper or electronically) an audit of the information you hold. See sample table at the end of this blog.
· Top tip: Your ICO entry will give you a good starter for 10
3. Data collection
· Review if you collect adequate and relevant data. Remember you don’t need to collect everything and their shoe size.
· Be clear the client has a right to see the data held on them (free of charge for the initial request)
· Big firms must appoint a date protection officer. We can voluntarily appoint one. Since I am a sole trader and there is me myself and I. I have decided that the data protection officer I will appoint will be me.
4. Processing
· Make sure you know the lawful basis / legitimate reason for sharing the data you hold. Consent doesnt always have to be your only option. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
· Are you clear on the legal basis for processing all the special categories of personal data( currently known as sensitive data)
· If you rely on consent, can you demonstrate/evidence consent was given freely and actively given? Does the data subject know they can withdraw consent?
· If you use a company/someone else to process your data check how they comply with GDPR. It's your responsibility to know if they do or not.
· Do you know if your processor is based outside of the EEU?
Top tip: Default tick boxes are no longer allowed
5. 8 rights of the individual see blog 5 rights of the individual
· Make sure you understand the new rights of the individual.
6. Privacy statement See blog 4 Privacy statements
· Review and update your privacy statement, (you should already be using them) or write one if you are new or have never used one.
· The client must see/be told this at the point at which you collect personal data. Not at the point at which they sign a factual contract containing no personal data requests. Can you evidence the client was told?
· If the data was received from a third party, a privacy statement should be given within a reasonable period after obtaining the data but at the latest within one month
· If you work with children, as now, make sure the language is simple and you are clear about gaining valid consent.
· The tricky part is do you have consent from all clients you currently hold information on to keep their records? as agreement is retrospective
Top Tip Simply be honest and transparent about what you collect and what you intend to do with it.
7. Data retention see blogg 6 keeping data
· Ensure data is retained only for as long as necessary and for the purpose for which it was obtained.
· Check with your insurance company how long they need you to keep your client adequate records. Decide what for you is acceptable as adequate records
· Top Tip Review all the records you currently hold, do you have any longer than your retention period? Do you need to dispose of any information as confidential waste pre 25th May?
8. Data Breach
· Check your understanding of how to report a data breach within 72 hrs.
· If the breach may result in a high risk to the rights and freedoms of the individual concerned you will need to notify them too. If data is encrypted or otherwise unintelligible, then individuals will not need to be notified.
Sample record sheet – find a way that works for you that complies for GDPR
Documents held |
Categories of individuals |
Categories of personal data |
Purpose of processing and lawful basis |
Retention schedule and disposal method |
Type of secure storage |
Contact sheet |
Clients |
Phone number Address Emergency contact
Sensitive personal data – medical conditions |
Harm to self or other, Terrorism, money laundering Consent/ legitimate reason |
How long do you keep it for?
How do you dispose of it? |
Where do you store it.? Is it password protected? |
Contract |
Clients |
None |
|
|
|
Clinical notes |
Clients |
None |
Harm to self or other, Terrorism, money laundering |
|
|
Code doc– Linking name to notes |
Clients |
|
|
|
|
Workshop Contact info |
Workshop participants |
Phone number |
|
|
|
Blog emailing list |
|
|
Marketing whats the lawful basis |
|
|
Newsletter emailing list |
|
|
Marketing |
|
|
The full series of my blogs is available on my website at: www.counsellinginnotts.co.uk
· Blog 1 ICO information management
· Blog 2a Data protection recap
· Blog 2b 8 principles of data protection recap
· Blog 3 Data you hold review
· Blog 4 Privacy statements
· Blog 5 8 rights of the individual
· Blog 6 Keeping data / data retention
For those that work with children the consultation of GDPR and children guidance doesn’t close until the 28th Feb. https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/
Don’t forget that the ICO website GDPR guidance is a living document and is therefore being continually updated and extended right up to the 25th May.
See you on the other side of GDPR.