1.1 GDPR stands for the General Data Protection Regulation, the name for the new set of rules from the EU to update data protection for all citizens, that came into effect from 25 May 2018. It's an update to the current data protection regulation we have in the UK and is basically aimed at giving people back control over their personal data in a ‘one-stop shop’.
1.2 Following Brexit, original GDPR has been kept in UK law as the UK GDPR, as of 28 June 2021.
2. What GDPR means for your service
2.1 Some small businesses are exempt from certain requirements of GDPR, but not care services. This is because health data is classed as 'special category' data and has stricter requirements as a result.
2.2 Because you hold and manage your residents' data, you will become classified as a Data Controller.
This means you will have to:
- Know exactly what data you hold and where.
- Consider whether you should hold that data or not (it’s arguably best to hold as little as you need).
- Ensure your data is held in a secure manner (e.g., locked away or on a secure cloud).
- Assign a Data Protection Officer (DPO).
- Complete a Data Protection Impact Assessment (DPIA) and take any steps as a result.
- Update your policies and procedures to include how your business will deal with the new rights of individuals.
- Make sure your staff are aware and trained to the new standards.
3. The impact on managers and owners when using Cross Digital Ltd
3.1 You need to be aware that Cross Digital Ltd is now a place where you will be storing resident data.
3.2 All data is securely stored in the cloud and up-to-date with all current regulatory requirements.
4. How we mitigate data risks
4.1 All activities logged throughout using the cap.prepod.uk website (the “Elate Platform”) and the Cross Digital Ltd App (the “Elate Platform”) are recorded, giving you an audit trail, should you need it.
4.2 Data portability is built into the system by design, so you can extract your data as needed.
4.3 We have built Cross Digital Ltd to meet all new data protection requirements from the ground up.
4.4 When using the Elate Platform, you will be required to enter a password to gain access.
4.5 We have a requirement to inform you if any data breach does happen, meaning you will be in the know if anything were to go awry.
4.6 We have a robust set of privacy policies detailing what we do with data.
5. What you need to do
5.1 We advise you to:
- Ensure all your staff have their own login details.
- Keep your login details secret and do not write these down.
- Get proper antivirus software for all your devices.
6. New rights of individuals
6.1 There are 8 rights of individuals that are core to the GDPR that you need to be aware of as a care provider. We make it easy to comply with each one:
6.1.1 The right to be informed
Data subjects have the right to know basic information about how you are holding their data and who the processor is. We can provide you with a template, laying out what Cross Digital Ltd is and how it works. You can easily adapt it and send to those who need to know.
6.1.2 The right of access
You must be able to answer questions that data subjects have about their data or provide a copy of the data you hold on them. It's easy to get a copy of the data from Cross Digital Ltd, just email email@example.com and one of our team will help.
6.1.3 The right to rectification
You can be asked to fix/update any errors in the data you hold on someone. In Cross Digital Ltd, this is as easy as updating their profile.
6.1.4 The right to be forgotten
You can be asked to delete all the personal data you hold on someone. Our understanding is that you should still comply with the requirements of the Care Homes Regulations 2001 (e.g., hold data for 3 years after last entry for adults and 80 years for children) before deleting a resident's data. When needed, you can delete all of the data you hold in Cross Digital Ltd for a resident.
6.1.5 The right to restrict processing
Data subjects can request that you stop processing their data in certain ways e.g., they could ask you to stop using a system like ours and go back to paper to manage their care records, if they really wanted to!
6.1.6 The right to data portability
Data subjects can ask for their data in a form that can be taken to another processor. We make this nice and easy with our Excel export function.
6.1.7 The right to object to processing
If data subjects feel that you do not have legitimate grounds to process their data, they can ask you to stop.
6.1.8 The right not to be subject to automated decision-making, including profiling
We do not use automatic decision making, so that’s an easy one!
7. Data compliance
7.1 We have incorporated GDPR principles of privacy into out design and security, when building our product and processes.
7.2 We protect data with AES-256 encryption, SSL technology,/password requirements for every member of staff.
7.3 We use the same cloud provider as HMRC.
7.4 We’ve been working together to help document our compliance by completing a full Data Protection Impact Assessment (DPIA) and review of our policies and procedures.
8. Recommendations for when you start using Cross Digital Ltd
8.1 You should train staff to not share passwords and to make sure they use the system appropriately, to enhance the care they provide.
8.3 You should assess the data you are collecting and ensure you are only collecting information you need to operate.
9.1 If you have any questions about GDPR, you can contact us at firstname.lastname@example.org