Project Description

GDPR and the role of the Data Protection Officer (DPO)

“We have an opportunity to set out a
new culture of data confidence in the UK”

What is a Data Protection Officer?

A data protection officer (DPO) is an organisation leadership role required by the General Data Protection Regulation (GDPR). DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

The DPO should:

  • Provide advice and guidance to the organisation and its employees on the requirements of the GDPR Monitor the organisation’s compliance.
  • Be consulted and provide advice during Data Protection Impact Assessments.
  • Be the point of contact for data subjects and for cooperating and consulting with national supervisory authorities, such as the Information Commissioner’s Office.
  • DPOs should also take responsibility for carrying out data audits and oversee the implementation of compliance tools.
  • The DPO must be able to act independently, be adequately resourced and be able to report directly to senior management to raise concerns.

There are three specific criteria around the requirement to appoint a DPO:

  1. Where the processing is carried out by a public authority or body.
  2. Where the “core activities” of the controller or processor consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale”; or
  3. Where the “core activities” of the controller or processor consist of processing on a “large scale” of “special categories of personal data”.

The requirements apply to both controllers and processors.

GDPR Article 29 suggests that “core activities” should include activities where the processing of data forms an inextricable part of the controller or processor’s activities. For example, a hospital’s or GP practice’s core activity is the provision of health care, which requires processing of special category personal data such as health records. The hospital or practice therefore must appoint a DPO – this can be an individual or an external service. Conversely, processing such data for payroll and employment purposes would be ancillary to an organisation’s core activities.

When considering whether processing is “large scale”, the WP29 recommends that organisations consider duration and scope (in terms of volume of personal data and data subjects). For completeness, monitoring includes more than just online monitoring. Much of this will not apply to the GP practice but includes data-driven marketing, credit scoring, location tracking, CCTV, and using data from connected devices such as wearables, smart meters, and home automation.

  • Duration: All day

  • Location: On-site/locally

  • This workshop can be delivered on its own or as a two-day programme.

Who should attend?

Don't miss opportunity to work with leading specialists in a series of full day workshops specifically focused on the ‘business’ aspects of General Practice.

  • General Practitioners

  • Practice Managers

  • Senior Practice Nurses

  • GP Administrator Managers

Objectives

This workshop focuses on the role of DPO, what to do and how to do it. This includes:

  • Educating the practice and employees on important compliance requirements and training staff involved in data processing
  • Conducting audits to ensure compliance and addressing potential issues, monitoring performance
  • Determine the need for Data Protection Impact Assessments, mentoring the DPIA process and advising on the documentation requirements
  • Appointing Expert advisors, delegating duties, position in practice
  • Patient rights and practice consent strategy
  • Contact with the ICO and breach reporting
  • Interfacing with Data subjects

Workshop Agenda

Below is an outline of the proposed agenda, if you have any questions please get in touch.

09.15 Registration & Coffee
09.30 Introduction and Welcome
09.45 Overview of the DPO – Day Two & Objectives

  • DPO – the role, the responsibilities, and the liabilities
10.00 DPO – Advising the Practice & the Patients

  • Subject Rights and possibly include the acting as a point of contact
  • Inform and advise the practice of their data protection obligations under the GDPR
  • Inform and advise the employees of their data protection obligations under the GDPR
  • Informing and advising the patients of their rights
10.30 DPO – Monitoring the practice for GDPR & Data Protection compliance

  • Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures.
  • Audit – Conducting audits to ensure compliance and addressing potential issues, monitoring performance
10.45 BREAK
11.00 DPO – Serve as the contact point for all data protection issues

  • DPO Independence
  • DPO Accountability
  • DPO qualities
    • Level of expertise
    • Professional qualities
11.30 DPO – Serve as the contact point for individuals (data subjects)

  • Privacy matters
  • Individuals’ Rights and The NEW Data Protection principles
  • Consent
  • Subject Access Requests – setting the policy and procedures, monitoring the process and the outcomes
12.30 LUNCH & Networking
13.15 Data Breach Management and Investigation

  • Detection and the recording of data breaches
  • When and who to notify when a breach occurs
    • Informing the business/practice
    • Informing the regulator/Commissioner
    • Informing individuals
  • Investigation
15.00 BREAK
15.15 Data breach Management and Investigation (cont)

  • Action planning and shared learning
  • Enforcements and penalties
15.45 Creating the DPO Action Plan and shared working

  • Create the Plan
  • Challenges to come
16.30 Summary of Key Considerations – and Q&A
16.45 Close
View our workshops

The PMA delivers a range of Workshops

If you would like information about workshop dates or would like to develop a specific programme or host this workshop, please call 0330 111 6459 or email enquiries@practicemanagersuk.org

View our workshops

Join Over 25,000 PMA members today and benefit from our services

As a PMA member, you will benefit from regular news and updates on key issues and regulatory changes that affect GP practices. You will gain access to exclusive training and events that ensure you maintain currency of knowledge and skills. You will have the opportunity to meet and network with your peers from around the UK.

Join PMA