Quite on purpose, the GDPR is not prescriptive about the IT measures an organisation must take in order to be compliant. It would be unreasonable to expect smaller organisations and global companies to make similar investments in data protection.
Article 5 of the GDPR requires that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’
But, what is considered to be ‘appropriate security’ for a dental practice as distinct to what is required from a global social media giant?
Codes of conduct
Articles 40 and 41 of the GDPR allow representative bodies to submit ‘codes of conduct’ for approval. These are designed to ensure that there is a consistent approach in dealing with personal data across the sector and to give clarity to all concerned on items such as IT policies and procedures that are achievable within the sector while still complying with data protection legislation.
So far, no such codes of conduct exist for dental practices.
The Data Protection Commission has made it clear that it expects all organisations to assess their data protection obligations and determine the appropriate actions to protect personal data.
I’ve seen vendors suggesting that their encrypted email service or cross-cut shredders are ‘GDPR compliant’. While these features might reduce the risk or impact of a data breach in certain circumstances, there are many less expensive but more effective measures that you can take to safeguard patient and staff personal data and avoid data breaches.
This article was first published in the October 2019 issue of Irish Dentistry. Read more articles like this with a magazine subscription. Click here to subscribe or call 01923 851 777. Get in touch via Twitter @IrishDentistry or Facebook.com/IrishDentistry.