With GDPR taking effect this month, Locsu has issued two lots of guidance to LOCs to ensure they comply. Unlike optical practices and Primary Eyecare Companies, LOCs do not deal with patient data but they still hold and process other types of personal data.
The guidance and an audit tool can be found on the Locsu website under the LOC guidance tab. The key actions include:
Awareness – ensure that members are aware that the law is changing and the impact that this will have.
Record all personal data held.
Identify and document lawful bases for processing personal data.
Ensure privacy notices are available to individuals at the point of collecting their data. They should be reviewed and updated if necessary.
Requests from individuals including subject access requests – many of the rights for individuals are the same as those under the Data Protection Act but there are significant enhancements. LOCs should check their procedures and consider whether any changes need to be made.
Data Breaches – GDPR has introduced a duty for all LOCs to report certain types of data breaches to the ICO and in some cases to individuals. You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Roles and Responsibilities – the definitions of a data controller and data processor are likely to remain the same as under the existing law. Some, but not all, data controllers will have to appoint a Data Protection Officer (DPO) and/or perform a Data Protection Impact Assessment (DPIA).