Compliance has to be in proportion to the business
CODE has been successfully providing compliance solutions to dental practice owners and managers for 40 years. The new General Data Protection Regulation (GDPR) and Data Protection Act 2018 can seem quite daunting, especially if you listen to webinars or read advice that has been developed for bigger businesses. The trouble with new compliance legislation is that it is usually created with a ‘birds eye view’ of business, which means that the creators can only really see the bigger organisations and public authorities, the damage that a data breach from them could potentially do and the resources that they have available to manage data protection. It takes some time for compliance to filter down to much smaller businesses such as dental or medical practices and for the powers that be to refine their advice to meet the needs of smaller businesses.
But compliance must be proportionate to the business, otherwise it will be ignored by most and won’t succeed in raising standards. For example, if all small businesses in the UK decided that GDPR was too much to handle weren’t able to comply, the local regulation would fail and would have to be re-written to meet our needs. In recent times there has been an explosion of compliance for dental teams, which is why CODE now provides the iComply application to schedule the compliance into a manageable year of monthly activities.
We are at a difficult point with DPOs because at the present time, it seems impossible to meet the requirements as set out in GDPR if we try to follow them to the letter. I’ll explain why a bit later.
CODE advice is adapting and changing rapidly as new information and guidance comes out from the ICO and the government, plus we are waiting to hear how the ICO analyse the new Data Protection Act. These changes are put into iComply so that members will know what to do as soon as we know. It is likely that as the situation becomes explored more fully and tried in real life, the requirements for DPOs for primary care will be modified.
There are about 10,000 practices who offer NHS dental treatment. Many are small, with two dentists, one receptionist and two dental nurses, some are smaller with just one dentist and nurse and some are larger. The NHS fees are finely balanced so that the staff and dentists can earn an appropriate salary and after paying all costs, most practices make less than 9% profit, some struggle to break even.
The GDPR regulations says that Public Authorities must have a DPO. The definition of a public authority includes not only the national, county or city governmental agencies, but also the NHS itself, local authorities and dental practices. From the massive, overarching governmental organisations to the humble dental practice. For now, the DPO requirements are the same for all organisations, including:
“The DPO must have expert knowledge of data protection law and practices and the ability to acquire detailed understanding of the organisation’s business, the purposes for which it processes, or intends to process personal data.
The DPO has proven ‘expert knowledge of data protection law and practices’, the ability to perform the tasks specified in the GDPR, and sufficient understanding of the organisation’s business and processing.”
There is no doubt a massive European wide shortage of candidates with suitable expertise for this role is looming, with all of the big business in Europe now snapping up people with experience. I imagine that salaries for the people with the relevant background would start at £40k if they were available. However, there just isn’t enough work in a dental practice, even a large one to justify employing somebody. Not much changes from year to year in our practices, once the GDPR policies and procedures are in place they just need updating and maintaining. In order for every practice to have a DPO qualified to the standards currently in GDPR, the NHS would need to increase funding in dentistry by 10,000 times £40K, or £400m per annum to pay for them.
Another option is to use consultancy DPO service. With the law of supply and demand kicking in, this is likely to be expensive too. Is it even possible to find 10,000 consultancies in the UK, who understand dentistry? It has been estimated that the cost of these consultants would be in the region of £15,000 per annum. This would mean that NHS dentistry will need an additional £150m funding immediately to cover the cost consultants if they can be found. The initial setup may incur the highest consultancy fees. There are various web-based services, but can these be considered to be a Data Protection Officer?
The CODE view
Recently, after lobbying by the profession, ministers have refused to make exemptions of the Data Protection Officer requirement for small NHS providers.
It is CODE’s suggestion that the Information Governance Lead takes on the role of Data Protection Officer for the time being and see how the situation unfolds. But you may decide to engage a DPO consultant.
The CODE iComply application provides a comprehensive set of policies, risk assessments and procedures to meet the GDPR requirements. These are proportionate to a dental practice and are based on 40 years’ experience. Most dental practices work in a similar way and the templates can modified to meet local differences. Armed with the right information and guidelines, the practice manager or principal of a dental practice should be able to meet the GDPR requirements and act as the DPO, but they certainly will not have:
“Proven ‘expert knowledge of data protection law and practices”
It is necessary to see how the situation unfolds, when the costs, necessity, and availability of expert DPOs for the many thousands of UK business that needs them becomes apparent. It is my view that the guidance from the ICO on this particular aspect of the regulations will change. Until then it seems that practices may have little choice but to take on this role internally, meet the GDPR requirements to the best of their ability and see what happens.
Please make your own decision
Whilst we say that the practice manager or principal could be the DPO, this is not an absolute guideline from CODE because, as of now, it does not seem meet the DPO requirement fully. You may decide to take on a DPO consultant, use a web service such as Trust Ark or if a larger practice or group of practices you may decide to employ an expert. As always, we recommend that you take individual professional advice to suit your circumstances before making a decision. To us however, at this time, having your own DPO seems like a proportionate way to meet the requirements.