Almost a year on from the GDPR deadline, David Stothard, managing director of MAPS Medical Reporting and a former personal injury solicitor, outlines why ignoring the changes to data protection could prove costly for law firms working in the personal injury and medical negligence space.
On 25 May 2018, a data protection regulation update came into force that transformed the way businesses and organisations obtain, use and store people’s personal data.
The General Data Protection Regulation (GDPR) replaced the UK’s Data Protection Act – putting data power and control firmly back in the hands of the individual.
Its advent was a wake-up call for organisations that had previously been sleep-walking through their data procedures. The legislation demands businesses tighten the security and protection of data they hold – or risk significant financial penalties.
Why GDPR matters in the medico-legal space
Every day, medical reporting organisations (MROs) receive sensitive and personal details and medical records (special category data) from law firms about the clients they are representing, and their injuries. They have a legal and moral responsibility to ensure every member of their team complies with best practice and UK legislation. This now includes GDPR.
This detailed, and highly confidential, information is essential in allowing MROs to recommend the most appropriate medical experts with the relevant specialisms to support their client’s case. MROs provide law firms with the personal data of appropriate medical professionals and may also liaise with GPs, hospitals and physiotherapists to obtain the medical records our experts need to do their job.
Some GPs still have paper rather than digital patient records, and some of those records contain decades-worth of GP notes. When reams of paper with sensitive data are being physically moved between locations, the risk of something going amiss rises sharply.
It is imperative that MROs have robust data protection processes in place throughout their operation. After all, GDPR is not simply a change to the law, it is a direct response to a rise in data breaches that threaten people’s security and privacy. For evidence, look no further than the various ICO prosecutions relating to inappropriate access to patient health records by staff in NHS Trusts, GP surgeries, other health service providers, as well as insurers. Failure to take proper precautions with patient record security is clearly in their sights.
Can you really trust your MRO with sensitive client information?
It has never been more important to know that the MRO you are trusting with your clients’ personal details and medical records is up-to-speed with GDPR and has its house in order. If it doesn’t, you run the risk of not only undermining the trust and relationship you share with your client but also facing a hefty fine – up to four per cent of annual global turnover or €20 million, whichever is higher. So don’t be afraid to ask your MRO what measures they have in place for GDPR and medical records, and to protect you, their valued customer and your client.
MROs are not just data processors. As professional service providers they are also data controllers and, given the nature of the work they are doing for their law firm customer and their client, they are usually joint controllers of the personal data with the law firm. That requires proper agreed roles and responsibilities between the MRO and the law firm for GDPR compliance and to address the liability risk of a breach by a joint controller.
At MROs, multiple staff touch personal data on a daily basis. Don’t be afraid to scrutinise the systems your chosen provider has in place to protect your clients’ data. You need to be confident that your supplier has covered all bases – because it’s also your reputation on the line.
Key points to put to your MRO
Asking these straightforward questions could save you millions in fines.
– Have you provided all staff with GDPR training?
– Do you have a data security manual, and is that manual up to date?
– Can you update me on the changes you have made to your systems to ensure you have general data protection regulation consent?
– What new systems have you implemented – for example on email – to ensure data security?
– Who is your data protection officer?
You should feel confident your chosen provider is handling your clients’ data securely and if it’s not, perhaps it’s time to contact us. We’re GDPR-ready. We have adopted an email encryption system as standard, invested time and money into being water-tight on process and have conducted detailed training and regular internal refreshers with all staff on GDPR.
Is your MRO ready if something goes wrong?
Of course, occasionally things can go wrong. In the event of a data breach, your MRO’s priority should be the wellbeing of the client whose data has been affected. Are you familiar with your provider’s complaints procedure? Have you been assigned a named contact you can turn to in a crisis? Having a clear system in place to log all data incidents, no matter how small, will give you peace of mind and ensure you can enact damage control in those, hopefully, rare cases of a breach.
A transformative opportunity
While the introduction of GDPR was daunting for some, it has presented a unique opportunity for firms to positively transform their methods of working – placing clients’ data safety front and centre.
Get it right and you can build strong relationships with clients and service providers built on trust and transparency. Get it wrong and the consequences are dire.