One of the most important procedures to follow when running a care home is General Data Protection Regulation (GDPR). This enforceable law protects the data privacy rights of individuals.
If a care home doesn’t comply with GDPR, there could be severe consequences, including a damaged reputation and being sued by residents or their families.
The good news is that you can use Customer Relationship Management (CRM) software, care home software and care home-specific operating systems to remain compliant with GDPR. Here, we’ve explained the key principles of GDPR, how it applies to care homes and how Found can help.
What is GDPR?
The General Data Protection Regulation (GDPR) was created by the European Union in 2018, replacing the previous version of rules around protecting personal data. The goal of GDPR is to ensure personal data is handled carefully and lawfully, while also giving individuals greater control over their own personal data.
Some of the control individuals are given through GDPR include a right to access their data, a right to have their data updated or erased and the right to restrict the processing of their data.
GDPR applies to any organisation that processes the personal data of EU citizens. Since the United Kingdom left the European Union, organisations in this country now follow the Data Protection Act 2018, which is broadly the same as GDPR.
What is personal data?
Personal data refers to any information that can be used to identify somebody or learn something important about them.
Personal data is collected for a variety of reasons, including marketing, medical records, to keep track of employees and to provide a service to customers.
Common examples of personal data include:
- Telephone or mobile phone number
- Email address
- Date of birth
- National Insurance (NI) number, or a different form of identification issued by the Government
- Forms of identification such as your passport or driving licence
- Medical information
- Financial information, including your bank account details
- Your IP address or other methods used to identify you online
- Biometric data, including facial recognition or fingerprint identification
What are the Key Principles of GDPR?
General Data Protection Regulation (GDPR) lays out seven key principles to follow when it comes to dealing with personal data. These principles guide organisations to ensure personal data is processed legally, fairly and transparently, with the rights and freedoms of individuals being protected. These are:
- Being lawful, fair and transparent - The processing of personal data must be done in line with legal requirements. There also needs to be a legitimate reason for collecting and using the data in the first place. Individuals must be made aware of how their data is being processed, and that they have the right to access or restrict this
- Collecting data for a specific and legitimate purpose - The reasons for collecting personal data should be obvious, and it should be collected for a specific reason. If you plan on using somebody’s personal data for a different reason than originally intended, they should be made aware of this
- Collecting only what’s necessary and relevant - To minimise personal data, it should always be limited to whatever’s relevant. Similarly, data should only be stored for as long as it’s needed
- Accuracy - Personal data should be accurate and kept up to date where necessary. Any incomplete or inaccurate data should be amended or erased
- Storage limitation - Personal data should be stored in a format that permits the identification of data subjects for longer than is necessary for the purpose(s) for which it’s processed
- Keep data confidential and secure when processing it - When processing data, it should be protected from unauthorised access, accidental loss or damage
- Accountability - All relevant people within an organisation must be able to show their understanding of personal data, including how they comply with it
How Does GDPR Apply to Care Homes?
European Union GDPR is an EU regulation, so it no longer directly applies to the UK. However, EU GDPR has been incorporated into UK law as part of UK GDPR, meaning the rules have broadly remained the same.
UK GDPR applies to organisations which collect, store and process the personal data of UK citizens and residents (and EU citizens). This includes care providers such as care homes, who must comply with GDPR at all times.
Here are the main ways that GDPR applies to care homes:
- Data protection - Your care home must collect, store and process personal data in a way that complies with the law. The necessary measures need to be put in place, in case of unauthorised access or accidental loss of data
- Resident consent - You need to be given consent from a resident (or the person acting on their behalf) before you’re able to collect, store and process their personal information. When doing this, you also need to let the resident know the reason behind processing their data and who will be given access to it
- Data subject rights - In a care home, residents have several rights where GDPR is concerned. This includes a right to access (subject access requests) and a restriction of processing. You must respect the rights of every resident when it comes to their personal data
- Data breaches - It’s important that care homes can spot and investigate when a data breach has occurred. That’s why procedures need to be in place for this, including notifying the relevant regulatory authority (such as the Care Quality Commission in England) and any affected individuals
- Data processing agreements - If your care home works with any third-party companies that process personal data, make sure they’re compliant with GDPR and have the necessary measures in place to protect this data
Why is GDPR so important in a care home?
Like many other places where people are looked after, care homes collect, store and process large amounts of personal data, including things like medical records and financial information. These personal details must be protected to ensure residents are kept safe and their privacy respected.
Care homes that comply with GDPR can provide high-quality care with dignity and respect.
GDPR is important in care homes for the following reasons:
- It protects residents’ rights - The most important thing GDPR does in a care home is protect the rights of residents whose personal data is stored and processed. Care homes need to ensure all rights are respected, and that residents feel comfortable exercising their rights when necessary
- It guarantees confidentiality - GDPR ensures personal data remains confidential, and only authorised persons can gain access to it. GDPR also requires that personal data is lawfully collected, stored and processed, helping with the safeguarding of residents, staff and visitors alike
- Trust is built between the home, residents and their families - By complying with GDPR, you’ll find it much easier to develop trusted relationships with residents. Feeling safe in the knowledge that their loved one’s personal data is being handled with care and respect will go a long way to earning the trust of family members as well
How Can Care Homes Comply With GDPR?
There are several steps care homes should take to properly comply with GDPR. By following the steps outlined below, care homes will ensure personal data is collected, stored and processed securely and lawfully:
- By developing the necessary policies and procedures - Guidelines should be in place for the collection, storage and processing of personal data, including how to obtain consent, where the data will be stored and who will be given access to it
- By training staff in line with GDPR requirements - When hiring a new member of care home staff, they should be fully trained on all aspects of GDPR, including how to handle personal data and how to properly obtain consent
- By always asking for consent - Before collecting, storing or processing any personal data, residents should give consent. This also applies to members of staff, visitors or anyone else who spends time in the home
- By putting the appropriate security measures in place - Residents should feel comfortable exercising GDPR-related rights, including the right to restrict how their personal data is used
- By conducting risk assessments - Conducting risk assessments will minimise the risk of potential threats to personal data
- By implementing security measures - Technical and organisational measures should be taken to protect personal data, in case of data loss or unauthorised access
- By reviewing and updating GDPR procedures in line with policy changes - GDPR isn’t set in stone and should be regularly reviewed to ensure your care home remains compliant with policies and procedures
Using a CRM Platform To Comply With GDPR
You can use a CRM (Customer Relationship Management) platform or care home-specific operating system to better perform with GDPR while also speeding up many of your home’s processes:
- Consent management - You can use a CRM to manage consent from anybody associated with your care home, including residents, staff and visitors
- Data retention policies - GDPR states that organisations shouldn’t keep personal data for any longer than necessary. A CRM can be used to create data retention systems that will automatically delete or archive data after a certain period
- Data subject requests - Any requests relating to personal data can be tracked using a CRM, ensuring they’re handled in time while following GDPR
- Data security - A CRM can be used to ensure personal data is stored securely, with encryption meaning only authorised people have access. This data is also regularly backed up, removing the chance of data loss
How Can Found Help?
Found ties in with many of the features we’ve discussed above and will help your care home demonstrate GDPR compliance.
We automatically anonymise closed enquiries after six months. Doing this removes all private data (including any uploaded and digitised documents). Users can also use a specific ‘anonymise’ function to manually clear an enquiry of its personal data before this time has elapsed if they receive a request to do so.
For users of Found - such as care home managers and members of staff - we use consent management fields that allow individual users to specify whether they’re happy to be contacted by post, phone or email.
Another feature we’ve recently added is ‘Export Logs’. These allow Found Admins to view who has exported and taken enquiry and resident data from the platform. The aim of this is to provide extra accountability as to where data is and how it’s being used.
Frequently Asked Questions
Do care homes need a data protection officer?
Though all public bodies and organisations are required to appoint a Data Protection Officer (DPO), this isn’t the case within the private sector. The majority of care homes are private organisations, so each home needs to individually decide whether or not they require a DPO.
What does the CQC say about data protection?
The CQC say that technology is currently solving several data-related issues that exist within places such as care homes. They also say that any organisation which collects or uses personal data, such as a care home, must comply with GDPR. The CQC themselves state that any information they store will always be protected and kept secure.