FROM May 25th, 2018, the General Data Protection Regulations will be enforced. GDPR is a new EU-wide* framework which supersedes the UK Data Protection Act and EU Data Protection Directive.

GDPR requires organisations to be more accountable for the data they process, gives individuals an expanded set of rights on how – or even if – their personal data is processed, and requires “privacy by design”.

The enforcement framework has changed, too. Eye-watering fines are available to the Information Commissioners Office (ICO) for those breaching the new legislation: up to €20m or 4% of global annual turnover for the most severe infringements. It seems plausible that supervisory agencies will find early infringers and be keen to wield these fines, “pour encourager les autres”. This is a compromise, too – the EU Parliament wanted fines of €100m / 5%.

And yet, surveys suggest that UK SMEs are far from on-track with achieving compliance: At the six  month point, Close Brothers polled nearly 1000 SMEs in the UK and ROI in their November Business Barometer, with less than a third of those polled stating they were “clear what personal data means in a business context”. This is compounded by ambiguity about some of the finer points of the regulations, with the EU and the ICO still working to provide more detailed guidance in several areas.

The technology, processes and the types of data involved in rehabilitation all add to the challenges in achieving GDPR compliance:

  • Digital healthcare advances see the patient record distributed across many systems and platforms, all of which require protecting from unauthorised access or editing;
  • Successful rehabilitation case management involves the cooperation of many stakeholders – often as many as 10-15 separate organisations throughout the lifecycle of a complex case;
  • Working with the biopsychosocial model often requires the processing of most of the “special category” data, not only health, but often religious or political beliefs and sex life or sexual orientation.

With huge fines, negative front-page publicity, and even the right for the ICO to require an organisation to cease processing data, the risks are too big to ignore.

So, what should you look for when assessing your rehab provider’s readiness for GDPR?

  • Understanding: With many GDPR myths already floated – “you must have consent before your process data” – how well do your provider understand the GDPR regulations? Have they identified their lawful basis to process data, understood the role of consent within their processes, and do they understand how the new rights for individuals interact with these areas? Have they identified the additional conditions for the special category (such as Health) data they process? Do they have the in-house knowledge or support from a legal team or security consultancy?
  • Preparedness: Does your rehabilitation company have a clear project and team in place to achieve compliance? Have they appointed a Data Protection Officer? How are they addressing the expanded rights of individuals under the GDPR? Ask them for information on how they will handle the reduced Subject Access Request timeframe, or requests for the new rights of data erasure or portability.
  • Transparency and Accountability: Ask your case management company to clearly demonstrate what data they process, how that data is protected, and where the risks are. Most companies should have completed data flows and information audits to understand their data and should have a process in place for reviewing these. Ask to discuss their plans to conduct Privacy Impact Assessments when processes or technology change.
  • Engagement: Have your rehabilitation provider started engaging with you about GDPR? Are you discussing how to ensure data you share with each other is protected and processed in line with the regulations? Have you and they reviewed (or indeed, established) joint data-sharing agreements, clarifying the data processor-data controller relationship if necessary?

If the answer to any of these is no, your rehabilitation provider may be one of the 32% of British companies who indicated they were not ready in a January 2018 EY data analytics survey.

At HCML we have been actively preparing for GDPR since the new regulations were issued. A dedicated project team – as well as an expert IT law firm and our information security partners providing legal and technical support, respectively – are working through our compliance plans. We are engaging with all customers to ensure the agreements we have in place meet the new regulations, and that any joint responsibilities are clear.

We’re also finalising a number of technical improvements which ensure our clients and patients have all the information they need to manage and control their personal data within the new framework, and to ensure data shared between stakeholders in the rehabilitation journey.

Any of HCML’s commercial team will be happy to discuss our approach, these improvements, and how we will be engaging with you around GDPR as the deadline draws nearer. Please email us at or call our sales team on 020 8649 8006 to discuss this further.

Anthony Eeles

Chief Digital / Information Officer, HCML.


*Footnote: The UK Government has confirmed that the GDPR regulations will be adopted into UK law when the UK leaves the EU. A few details, such as the role of the ICO as a supervisory authority, are still to be discussed, and international data transfers should be kept under review, but the vast majority of the GDPR provisions will remain in place after the withdrawal from the EU.


Further reading: