What GDPR will mean for your doctor’s practice
The compliance deadline for the General Data Protection Regulation (GDPR) is fast approaching and have you been planning ahead to make your doctor’s practice GDRP compliant?
The regulation that will be enforced on 25 May aims to strengthen and unify data protection for individuals within the EU and address the export of personal data outside the EU. This is a good thing – citizens will ultimately gain back control of their data, which today, has become a commodity.
But the demands of GDPR compliance range wider than you think. With less than four months to go before the regulation becomes law, it’s important to be aware of the steps your private medical practice needs to take.
What’s changing
In your healthcare business, you’ll be processing data that includes names, photos, email addresses, medical records, and often patient’s bank details. In addition to data of your patients, you’re also holding personal information of your employees.
From May onwards, you’ll need to show that the way you treat this data is GDPR compliant; otherwise, you will be penalised. The fine can be hefty - up to 4% of your practice’s annual turnover.
Here’s are some of the key points to look at:
Consent
You need to ask for consent to store personal data, and the terms and conditions need to be accessible and transparent. You must also make it clear to people that they’re free to withdraw their consent. So, if at the moment you’re storing data without explicit permission, you’ll need to contact the individuals to request consent before May. It’s also important to note that if you’re dealing with children, you’ll need approval from their parent or guardian.
Breach notifications
If there’s been a data breach, personal information might get into the hands of a third party; therefore, you must notify the authorities within 72 hours of becoming aware of this breach. You should review your original data protection protocols and add this step in if necessary. Plan for the worst and have a detailed action plan in place in the event of a cyber-attack.
Right to access
Your patients have the right to ask for their data and to know how you’ve been using it. You’ll need to be able to give them an electronic copy of their data free of charge. Again, make sure you have an action plan in place that enables this.
Data protection officers
Where activities include “regular and systematic monitoring of data subjects on a large scale”, you’ll need to appoint a data protection officer. Assess your staff, select a person and adjust their job description accordingly.
Where to turn for guidance
For more information visit the GDPR section on the website of the Information Commissioner’s Office. You can also check out the guidance issued by the national GDPR working group and the Information Governance Alliance (IGA) on NHS Digital.
Speak to us at TaxAgility if you’re worried about budgeting for the changes you need to make. Working with dedicated and knowledgeable medical accountants like us means that you’ll know where your finances stand so you can concentrate on GDPR compliance without worrying about your accounts.
We’re specialist accountants for doctors, so to talk to TaxAgility about how we can assist your doctor’s practice.
Time for Small Businesses to Start using RTI
Having been slowly phased in since April 2013, HM Revenue and Customs (HMRC) announced last month that employers with fewer than fifty employees (small and micro business owners) will be required to start using Real Time Information (RTI) for each member of staff on their payroll from today, 6 March 2015.
The RTI system, which we’ve reported on extensively since it was announced over two years ago, is a new way for business owners to report Pay As You Earn (PAYE), with the hope that the new, real-time method of reporting payments to employees will improve the accuracy of returns, ensuring that employers are paying the correct amount of tax.
Read more
Top Tips on RTI for SMEs
Back in April 2013 HMRC introduced Real Time Information (RTI) PAYE reporting, a new system designed to improve the accuracy of returns while ensuring employers such as yourself are paying the correct amount of tax.
Unlike in the previous system whereby you would submit an end of year return to HMRC with the full tax liability of each employee, under RTI PAYE reporting you're required to submit information to HMRC regarding employee pay and deductions each time a payment is made – unless you employ fewer than fifty employees and some are paid more frequently than once a month.
Read more
RTI Relaxation
The real time information (RTI) system for submitting PAYE information to HMRC must be used by small employers from April 2013. However, there has recently been a temporary RTI relaxation of one of the reporting requirements for employers with fewer than 50 employees.
Read more
What is RTI?
Real Time Information: New Changes to PAYE
From April 2013, HMRC is introducing a new way of reporting Pay As You Earn (PAYE). The new RTI system is designed to improve the accuracy of returns, and to ensure that employers are paying the correct amount of tax.
Read more