Any business, charity, or organisation, including sole acupuncture practitioners, that holds personal identifiable information must be fully compliant with GDPR principles.
UK GDPR compliance can be daunting for any organisation. Although the principles of UK GDPR apply to all organisations, small businesses employing less than 250 people do not face the exact same requirements. The Information Commissioner’s Office (ICO) acts as the regulating body for GDPR.
Why complying with GPDR is important
There are three good reasons to comply with GDPR:
- It is in your patients’ best interests to protect their personal details and health records.
- It is your professional duty to always keep patient records secure and confidential and to comply with the law.
- If the ICO was to take action against you for any breach of GDPR, this may affect your reputation as an acupuncturist and lead to a loss of confidence by your patients or potential patients.
In addition, breaches of GDPR could lead to a large fine. When deciding on the level of fine, the ICO would consider:
- the nature and gravity of the infringement
- whether the breach was intentional or negligent
- the mitigating actions taken by the organisation to contain damage to individuals
- the compliance policies and procedures implemented by the organisation
- any past infringements
- the level of cooperation by the processor and controller (the organisation)
- what personal data was involved in the breach
- whether the ICO was promptly notified of the breach
- whether certain codes of conduct were adhered to
The ICO has made clear that maximum penalties will not be handed out without serious investigation and consideration of all circumstances. However, the risk is present, and organisations have had plenty of notice to get their policies and procedures in place.
GDPR guidance from the BAcC
The BAcC produced a range of guidance for members in 2018 as GDPR was brought into force. The guide has been updated and can be downloaded as a complete document. The topics covered are:
- Personal data you hold and why
- How you use personal data
- Privacy notices
- Data breaches (to follow)
The ICO has published a Guide to the UK General Data Protection Regulation (UK GDPR) as part of its Guide to Data Protection. This information includes:
- Key definitions
- The seven key principles of the UK GDPR
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
- The law around processing personal data
- The rights of individuals under the UK GDPR
- Steps to be taken under accountability and governance
- Information on data security
Download our latest guidance