The Cost of a Data Security Breach? Possibly your Business. Welcome to GDPR.

GDPR and the care sector

You might not have May 25, 2018 marked in your diary as a significant date. But maybe you should. That is the date when the various implementations of data protection regulations around the EU will be replaced by the General Data Protection Regulation (GDPR).

The new regulations bring new responsibilities for organisations to protect Personally Identifiable Information (PII). There are significant penalties in the event of a failure (4% of global turnover or 20m Euro, whichever is greater). Given the tight margins in the care sector I’m not sure how many organisations could sustain that type of fine.

Under GDPR every organisation that holds or processes PII of EU citizens will be responsible for safeguarding that data, no matter where in the world it is processed.

Additionally, any personal data you hold must be used only for a specified purpose. There must be explicit agreement from the person concerned to hold and use their personal data. There must also be a clear audit trail and controls in place to ensure data is only used for the agreed purpose.

But I thought we were leaving the EU…

The UK will implement GDPR no matter what happens with Brexit. Care organisations that haven’t already got to grips with data protection don’t have long to get ready.

What might it mean in practice?

Let’s start with care commissioning. Commissioners will inevitably need to pass on personal data as part of the process. The data safeguarding responsibility will extend to any organisation that you supply with that data. How confident are you that providers have secure systems and data protection protocols in place?

Care providers could be exposed if they are using legacy systems that are not designed with the latest standards of encryption and secure access. The Information Commissioner’s Office would expect care providers to be certain that their system providers meet the GDPR requirements. They would probably expect commissioning bodies to verify that care providers are using secure systems and processes.

If there is a breach, responsibility is shared between processors and controllers (i.e. commissioners and care providers).

Any other PII that you hold (e.g. for marketing) is also covered.

There are eight principles guiding the regulations:

  1. Data must be processed lawfully and fairly.
  2. Processing of personal data must only be done for a specific identified purpose.
  3. Only the minimum personal data required for the specified purpose is to be processed.
  4. Personal data must be correct and up to date.
  5. Personal data should not be retained for longer than necessary.
  6. Processing of personal data must be carried out in accordance with individuals’ rights.
  7. Personal data must be kept securely.
  8. Personal data transferred outside of the EU must be adequately protected.


Webformed is accredited with the ISO 27001 information security standard for the CareForIT care management platform. All data has the highest level of encryption and is stored in a secure UK-based data centre, mitigating the risk of a data security breach. When used for commissioning and care delivery management there is a clear end-to-end audit trail for the data and its use. Webformed customers are satisfied in the knowledge that CareForIT care management system ensures all information provided by them is secure.

Using modern advances in technology CareForIT by Webformed is agilely built. We can respond to the inevitable changing market quickly and efficiently. However the sector evolves, CareForIT will develop alongside it.

Share This

Twitter Facebook Goolge+ LinkedIn