Gabriel Voisin, partner at Bird and Bird LLP’s international privacy and data protection branch, will be speaking about the impact of the General Data Protection Regulation (GDPR) and what it means for the health sector at the first Public Cyber Security conference next month. Voisin spoke to reporter Hannah Crouch about how GDPR differs from current data laws and how regulators will enforce it on 25 May.  

Voisin, who provides advice on GDPR and guarding against potential cyber intrusions, told Digital Health News that the main focus of his talk on Thursday, 7 December will be how GDPR is linked to cyber security.

The impact of GDPR on the health sector

The introduction of GDPR in 2018 will see tougher fines dished out to organisations if they breach data regulations in a bid to encourage transparency and put more control in the hands of citizens.

For the health sector, which handles sensitive files such as patient records, this could mean data privacy impact assessments becoming mandatory at the start of any relevant activity.

Voisin said the new rules will make it compulsory for organisations, including the NHS, to notify the Information Commissioner’s Office (ICO) if there is a breach of data regulations.

The breach must be reported within 72 hours or organisations could face a £8.8 million (10 million Euros) fine.

Voisin said the challenge will be for NHS hospital trusts to make sure a plan is in place of what to do if there is a breach to ensure they meet the new deadlines.

Right to know

The second part of the new rules is less automatic according to Voisin as organisations also have an obligation to notify individuals where there is a ‘high risk’ that their information has been breached.

However he said that working out what constitutes as ‘high risk’ will be another challenge for NHS trusts.

ICO’s involvement in enforcing GDPR

Voisin will be joined by Peter Brown, ICO group manager at the Cyber event’s Policy and Skills workshop.

He predicts Brown will be ‘put on the spot’ about how the ICO will deal with those organisations who fail to have a plan in place by May 2018.

“Some are going to miss the deadline and there is going to be cracks,” Voisin said.

“The question is going to be what is the enforcement?

“It will be interesting at the conference to hear from the regulator on how it plans to do that.

“The ICO has made it clear there will be no grace period and have been very strong.”

Current laws

Currently the UK complies with the Data Protection Act 1998 which protects people’s personal data.

Voisin said data protection laws are due for a renewal as it came into force ‘before Google arrived’.

“GDPR provides legislation which is appropriate for this new environment,” Voisin said.

You can catch Voisin between 11.55am and 12.40pm at the ICC Birmingham.

A new peer-to-peer cyber security warning alerting system is also due to be launched at the Public Cyber Security conference.

The ‘NHS Cyber Security Batsignal’ has been designed to provide immediate alerts of future cyber security incidents and enable sharing of information on how to respond, ensuring digital leaders across the NHS can remain in contact even if official channels are out of action.

The Public Cyber Security conference is free to attend for public sector information security, IT and IG professionals.

You can register by visiting the event’s website.