Data Protection Overview

Section 1 – Data Controllers and Processers

1.1 – Data controllers

The data controller is the individual responsible for processing data. It can be a person, a partnership, a company, etc. When deciding who should be the data controller, you can refer to the ICO guidance, which says that you should ask who decides:

• To collect personal data in the first place
• The lawful basis for doing so
• What types of personal data to collect
• The purposes for which the data are to be used
• Which individuals to collect data about
• Whether to disclose the data and, if so, to whom
• What to tell individuals about the processing
• How to respond to requests made in line with individuals' rights, and
• How long to retain the data or whether to make non-routine amendments to the data

These are all decisions that the controller can only take as part of its overall control of the data processing operation. If you make any of these decisions to determine the purposes and means of the processing, you are a controller.

1.2 – Data processors

A data processor is any person or company (other than the data controller or someone employed by them) who processes the data on behalf of the data controller. This could be a third-party company, such as a cloud storage company, used to back up patient records. Here are some examples:

• Dental laboratories
• Self-employed clinicians (unless they register with the ICO individually)
• Google (if you use AdWords, captcha, analytics, etc)
• Microsoft – if you use Office 365 or other cloud services
• Dropbox
• Online backup company
• Online HR software like the Agilio iTeam
• Your computer and network support company if they can access your data
• Your patient management software company if they have a cloud aspect

Section 2 – ICO Registration

Unless exempt, every organisation or sole trader (a person who is the exclusive owner of a business) who processes personal information must pay a fee to the ICO. The cost of registering starts at just £35, and practices may consider asking any self-employed associates/hygienists/therapists working for them to register individually with the ICO if it has been determined that they are data controllers. See the Information Commissioner's Office registration link. Each registration entry is valid for one year, and reminders are sent when renewal is due.

We have interpreted that the guidance requires the following:

• Single-handed practice owners to register as individuals, and their registration will cover all team members
• Partnerships to either have one registration under the partnership name or, if each partner has their own patients, a separate registration for each partner is needed
• Expense-sharing partners to register and pay the fee individually
• A limited company with several practices to have one registration if the company has group policies and procedures that determine why and how personal data is used
• If you own a practice as an individual but also have a limited company for tax purposes, to have an individual registration with ICO
• Self-employed associates/hygienists/therapists will either be joint controllers or processors and will need to sign the Model Contract for Data Processor or Joint Data Controllers (M 217UA)

Section 3 – Legal Framework

Data controllers have an overriding legal obligation to be "accountable" for the data they process.

This duty is set out in Article 5(2) of UK GDPR:

"The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability')"

"Accountability" is then underpinned by six key principles as set out in Article 5(1) of UK GDPR and mirrored in Chapter 2: 85(1) of the Data Protection Act 2018:

1. The first data protection principle - A requirement that processing be lawful, fair and transparent
2. The second data protection principle - A requirement that the purposes of processing be specified, explicit and legitimate
3. The third data protection principle - A requirement that personal data be adequate, relevant and not excessive
4. The fourth data protection principle - A requirement that personal data be accurate and kept up to date
5. The fifth data protection principle - A requirement that personal data be kept for no longer than is necessary
6. The sixth data protection principle - A requirement that personal data be processed in a secure manner

To regulate this, the ICO has created an "accountability framework" that sets out its expectations for data controllers to demonstrate compliance with the six principles - Accountability Framework | ICO. By following this framework, controllers can be assured that they will not be found in breach of their legal duties and obligations should the ICO be required to carry out an investigation following a data breach.

Section 4 – Key Governance Roles in Dental Practices

The board, or the highest senior management level, is responsible for data protection and information governance, but several roles can be delegated to help implement and maintain compliance.

4.1 – Senior Information Risk Owner (SIRO)

Oversees strategic information risk, ensuring appropriate data security measures and risk management at the highest level. Cannot be the same person as the Caldicott Guardian due to the need for independent oversight.

NHS Practices – Required.

Private Practices – This is not a formal requirement, but it is advisable in larger private groups.

4.2 – Information Governance (IG) Lead

Coordinates information handling procedures, training, and compliance. This role can be combined with the Caldicott Guardian or DPO roles for independent practices or smaller groups.

An IG Lead will typically perform the following tasks:

• Ensure there is an up-to-date IG policy in place
• Train all members of staff and new members of staff, and continually support them by implementing clear and robust data handling policies and procedures
• Manages the completion of the Data Security and Protection Toolkit
• Monitor the information handling and sharing activities to ensure compliance with the law and guidance within the practice
• Ensure any required documentation is submitted to relevant organisations, e.g., General Dental Council, Care Quality Commission, Health Inspectorate Wales
• Ensuring patients are appropriately informed about the practice's information-handling activities

NHS Practices – Required.

Private Practices – Strongly encouraged to oversee UK GDPR and data protection compliance, especially if undertaking digital processing or multi-site operations.

4.3 – Caldicott Guardian

Ensures confidential patient information is used and shared ethically, legally, and appropriately per the eight Caldicott Principles. They also act as the organisation's conscience, advising and supporting staff on the sharing and disclosure of person-identifiable patient information and related legislation. It cannot be the same person as the SIRO, but can be combined with the IG Lead and DPO roles for independent practices or smaller groups.

NHS Practices – Required.

Private Practices – This is not mandatory but recommended, especially when processing sensitive patient data.

4.4 – Data Protection Officer (DPO)

Provides independent oversight of data protection compliance under UK GDPR. A single DPO can be appointed across multiple sites, but this person must be easily accessible. They can be a staff member, such as the Practice Manager, or appointed through a service contract. This role can be combined with the SIRO, Caldicott Guardian, or IG Lead roles; however, they must be able to carry out their duties independently without any conflicts of interest, should not be someone who decides how or why data is processed, and must report to the highest management level.

A DPO will typically perform the following tasks:

• Monitoring the Practice's data protection compliance
• Informing and advising on data protection obligations
• Reviewing and providing guidance on privacy policies, procedures and documentation relating to processing personal data
• Acting as the contact point for data protection authorities for all data protection issues
• Providing advice on DPIAs (data protection impact assessments), the manner of implementation and outcomes
• Advising on data breach monitoring, management and reporting, and
• Advising on responses to privacy rights requests from individuals

NHS Practices – Dental practices providing NHS treatment are classified as public authorities, so they must appoint a DPO under Article 37(a) of the UK GDPR.

Private Practices—Article 37(c) of the UK GDPR requires a formal DPO only if the practice processes special category data (e.g., health records) on a large scale. Therefore, most small to medium-sized private practices will not need a formal DPO; however, if a DPO is not appointed, the ICO expects this decision to be recorded, and data protection compliance responsibilities assigned to the most appropriate person. Unfortunately, there is no legal definition of large-scale processing, or the cut-off point between a medium and large-sized DSO, so practices are advised to speak to the ICO directly if in doubt.

Section 5 – Key Governance Roles: Example Practice Setup

The examples below are intended to provide a practical framework for how practices providing NHS treatment of varying sizes could effectively assign and manage the information governance roles to ensure compliance. For fully private practices, whilst these roles are only recommended, other than the DPO, which is required for larger organisations, private practices are still subject to UK GDPR and Data Protection laws and must show accountability by appointing a nominated lead to oversee compliance. In iComply, we refer to this person as the Information Governance Lead.

Section 6 – Data Protection by Design

UK GDPR requires organisations to have appropriate technical and organisational measures to implement the six data protection principles effectively and safeguard individual rights. This is called 'data protection by design', previously known as 'privacy by design'.

In summary, data protection must be considered at the design or creation stage of all processing and business practices and then continue throughout the processing lifecycle; for example, dental practices would need to consider data protection by design if they were introducing a new data-sharing initiative, setting up a new care record, or using personal data for a new purpose such as research.

Section 7 – Data Protection Impact Assessment

A 'Data Protection Impact Assessment (DPIA)', previously known as a 'Privacy Impact Assessment', is a statutory requirement under Article 35(1) of the UK GDPR and must be undertaken where a type of processing is likely to result in a high risk to individuals' rights and freedoms.

It is a key risk management tool supporting 'data protection by design' that involves assessing the likelihood and severity of any potential harm to individuals, whether physical, material, or non-material, to minimise the data protection risks of projects. It should begin early in the life of a project, before you start processing data, and run alongside the planning and development stages.

To meet the statutory obligations, a DPIA must be carried out under Article 35(3) of the UK GDPR, where:

• There is a systematic and extensive profiling of persons that could produce significant effects
• There is large-scale processing of special category data or personal data relating to criminal convictions and offences
• There is a large-scale systematic monitoring or a publicly accessible area

In addition, under Article 35(4) of the UK GDPR, the ICO has produced a supplementary list of high-risk processing activities they deem to require a DPIA. Those that are likely to be relevant for a dental practice are:

• Processing activities involving the use of new technologies, such as moving all patient records over to a new dental software provider
• Where the processing is of such a nature that a personal data breach could jeopardise the health or safety of individuals, such as the relocation of paper clinical records from one location to another as part of a practice relocation or archiving project

However, the ICO considers it best practice to carry out a DPIA, regardless of whether the processing will likely result in a high risk.

Practices should, therefore, consider carrying out a DPIA for any of the following activities:

• Introducing a new type of e-recruiting software which makes decisions without any human intervention
• Moving a large number of patient records between digital systems
• Introduction of a CCTV camera on the practice property, which monitors a busy pedestrian area
• Introduction or change of off-site storage of paper records
• Creation of a new record destruction process
• Use or change of patient portals
• Use or change of cloud solutions

Where a DPIA is required, the ICO has produced a suitable template that can be accessed here - DPIA template.

Section 8 – Data Categories

There are two types of data:

• Personal data, and
• Special category data

8.1 – Personal data

Personal data means data which relates to a living individual who can be identified:

• From the data, or
• From those data and other information, which is in the possession of, or is likely to come into the possession of, the data controller
• Including any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

8.2 – Special category data

The UK GDPR defines special category data as:

• Personal data revealing racial or ethnic origin
• Personal data revealing political opinions
• Personal data revealing religious or philosophical beliefs
• Personal data revealing trade union membership
• Genetic data
• Biometric data (where used for identification purposes)
• Data concerning health
• Data concerning a person's sex life
• Data concerning a person's sexual orientation

Section 9 – Lawful Basis

9.1 – Legal basis for processing data

To demonstrate compliance with the first and second data protection principles:

"Requirement that processing be lawful, fair and transparent"

"Requirement that the purposes of processing be specified, explicit and legitimate"

Article 6 of the UK GDPR mandates that processing personal data is only lawful if:

• The data subject has given consent to the processing of their personal data for one or more specific purposes OR
• Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering a contract OR
• Processing is necessary for compliance with a legal obligation to which the controller is subject OR
• Processing is necessary to protect the vital interests of the data subject or another natural person OR
• Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller OR
• Processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, where the data subject is a child

a, b, c, and/or f are considered the most appropriate lawful bases for a dental practice.

In addition, Articles 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 govern the lawful basis for processing 'Special Category Data', which is prohibited unless certain conditions are met, such as:

• The data subject has given explicit consent to the processing
• Processing is necessary for health and social care purposes
• Processing is necessary to safeguard children and individuals at risk

Organisations need to select the most appropriate lawful basis for processing both personal and special category data before starting each processing activity and document this, along with the reasons why, within their privacy notice.

9.1.1 – Legitimate interests

Out of the six lawful bases for processing personal data, Article 6(1)(f) of the UK GDPR regarding processing data for legitimate interests is different from the others as it is not centred around a particular purpose, e.g., performing a contract, complying with a legal obligation, protecting vital interests, or carrying out a public task. It is more flexible and could be applied to any processing activity.

However, data controllers cannot simply choose legitimate interests as their legal basis and start processing data. They must first consider the ICO's three-part test and provide a reasonable purpose for choosing this as their basis:

• Purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary for that purpose?
• Balancing test – is the legitimate interest overridden by the individual's interests, rights or freedoms?

To demonstrate compliance with the three-part test, the ICO expects organisations to carry out a 'Legitimate Interests Assessment (LIA)' and document this process along with the decision. iComply members can use the Legitimate Interests Assessment template (M 217S) to help.

The Data Protection Network provides some helpful information about how legitimate interests may be used as a lawful basis for marketing. Members must consider the Privacy and Electronic Communications Regulations and the Data Protection Act 2018 for business-to-consumer marketing. A dental practice may also consider legitimate interests a legal basis for processing when safely transferring paper records to a secure digital patient records system.

Section 10 – Data Rights

Individuals have the right to access their personal data, correct it, have copies of it, correct errors, and restrict its processing. They also have the right to obtain supplementary information such as how practices process their data, its use, and object to its specific uses. The right of access allows individuals to be aware of and verify the lawfulness of processing activities. They also have the right to request practices to delete data; however, this may not always be possible.

10.1 – The right to be informed

Individuals have the right to be informed about the collection and use of their personal data

10.2 – The right of access

Individuals have the right to access their personal data (commonly referred to as a subject access request). Patients have the right to access a copy of their clinical records and receive them for free; non-patients can request a free copy of the details you hold on file for them. The details must be provided within a month of the request. You should refer individuals wishing to make a request to your Privacy Notice (see Section 11) and provide a copy if required.

10.2.1 – Right of access for children

Even if a child is too young to understand an access request, it is still their personal data and does not belong to anyone else, such as a parent or guardian. When handling a request for information about a child, practices must consider whether the child is mature enough to understand their rights. If they do, practices must respond directly to the child rather than the parent. When a child makes a request, they should be provided with a copy of the Privacy Notice for Children (M 217TC) or told where they can access it (such as on the website). Information about a child may be released to a person with Parental Responsibility, considering the child's best interests. All mothers and most fathers have this responsibility, and parents do not lose it if they divorce, although a court can remove it. If parental responsibility is doubted, proof of identity and evidence must be requested.

10.2.2 – Access requests and mental capacity

For patients who lack the mental capacity to manage their affairs, a solicitor or other person with a Lasting Power of Attorney or someone appointed by the courts will have the right to access information about the person they represent and make decisions on their behalf. Proof of identity and evidence of power of attorney or court order must always be requested. The same applies to a person appointed to make decisions by the Court of Protection in England and Wales.

10.3 – The right to rectification

Practices must rectify inaccurate personal data when it becomes apparent or if an individual requests it. If the personal data has been shared with third parties, you must inform them of the rectification. If you refuse a request for rectification, you must inform the individual of their right to raise a complaint with the Information Commissioner.

All requests must be actioned immediately and, at the latest, within one calendar month from the first day they are received.

10.4 – The right to erasure

Individuals have the right to have their personal data erased; however, this right only applies when the organisation no longer needs the data for the original reason it was collected or used. For example, the right to erasure can be refused where there is a legal obligation to process the information or where the processing is necessary for providing care. It can be granted once these obligations have been fulfilled.

10.5 - The right to data portability

Portable data can be transferred between devices or programs without being entered again. This right allows individuals to obtain and reuse their personal data, such as transferring a copy of patient records from one practice to another.

10.6 - The right to object

Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop organisations from processing their personal data. The right to object only applies in certain circumstances and depends on the organisation's lawful basis for processing. In some cases, individuals have the absolute right to object to processing their personal data, for example, if it is for direct marketing purposes. Patients can object to a dental practice processing their data; however, the practice can refuse this request as it would limit their ability to provide safe and effective dental care.

10.7 - Rights in relation to automated decision-making and profiling

Automated decision-making is a decision made by automated means without any human involvement. Examples include email reminders to book an appointment or text or email reminders of appointments. Automated individual decision-making does not have to involve profiling, although it often will do. The UK GDPR states that profiling is:

"Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."

Individual rights in relation to automated decision-making and profiling include:

• Being notified that their personal data has been obtained indirectly
• How they can access the details of the information used to create their profile
• How to object to profiling, including profiling for marketing purposes
• The right to review and edit data to correct inaccuracies

Section 11 – Transparency

To respect people's data rights, particularly their right to be informed, data controllers must be open and honest ("transparent") about their lawful basis for collecting and processing personal data. This is underpinned by the first data protection principle as set out in Article 5(1)(a) of the UK GDPR and Chapter 2: 86(1) of the Data Protection Act 2018:

"Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency)" – UK GDPR

"The first data protection principle is that the processing of personal data must be lawful, fair and transparent" – DPA 2018

To achieve this, data controllers must communicate their purposes for collecting personal data, how they manage this, and the rights of the data subjects. This is referred to as "privacy information" or a "privacy notice" and must include all the information outlined in Articles 13 and 14 of the UK GDPR, such as who the data controller is and the contact details for the Data Protection Officer/IG Lead. It should also explain the purposes for which personal data is collected and used, how it is disclosed, how long it is retained and the controller's legal basis for processing.

The privacy notice needs to be made available for people to view or provided to them when their data is collected for the first time. This can be achieved by placing a poster on display, handing out printed copies, or verbally advising them where it can be located, such as on the practice website.

Access to the privacy notice must be free and easily obtainable in formats suitable for the data subject, e.g., electronic, hard copy, large print, etc. Privacy information intended for children needs to be age-appropriate and in clear, plain language that they can understand.

The ICO expects a 'LOG' to be maintained of historical "privacy notices" that include the dates of any changes. This will allow them to review what privacy information was provided to subjects and when.

iComply members can use (M 217T) for patients, (M 217TS) for staff, and (M 217TC) for children to help with this.

Section 12 – Data Consent

An essential aspect of the UK GDPR is the requirement to offer people choice and control over how their data is used. If you are sending out email newsletters, for example, you may need to consider consent requirements, such as:

• The consent form gives a choice about how the data will be used, e.g. provide news/advice/important announcements/new products and services
• The consent statement must be clear and specific, and the indication to give consent must be unambiguous
• Tick boxes must never be pre-ticked; this is called 'positive opt-in'
• Consent must be easy to withdraw with a straightforward way to withdraw it at any time, such as by phone or email
• Evidence of consent is kept, including who, when, how, and what you told people
• The consent process is kept under review and refreshed if anything changes

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Consent must be opt-in and not 'tick to opt-out'; it must also be granular so that the person can see exactly what they consent to.

Section 13 – Data Opt-outs

Dental practices in England providing NHS care must comply with the national data opt-out policy. The policy allows:

• Individuals to choose whether to allow their data to be used for research and planning purposes
• Relevant organisations to more easily respect individuals' National Data Opt-out choices
• Individuals to change their choice at any time

Individuals can make or change their choices using the following methods:

• Through the NHS App by clicking on "Your Health" and selecting "Choose if data from your health records is shared for research and planning"
• Online via the NHS data matters page: Make your choice about sharing data from your health records - NHS
• By phone, email or post via the NHS manage your choice page

Section 14 – Data Security and Protection Toolkit

The Data Security and Protection Toolkit is an online self-assessment tool that is updated annually to reflect the latest data protection thinking. All organisations with access to NHS patient data and systems, including private practices with NHSmail accounts, must use this toolkit annually to ensure that they are practising good data security, and that personal information is handled correctly.

Section 15 – UK GDPR, Brexit and International Processing

There are specific rules about transferring personal data from a UK sender to a receiver outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR), known as restricted transfers. A receiver could be a separate company, public body, sole trader, partnership or other organisation.

Examples of restricted transfers would be:

• Sending paper or electronic documents, or any record containing personal data, by email or post to another country
• Giving a supplier based in another country access to personal data
• Giving access to UK/EU employee data to another entity in the same corporate group based in another country

Restricted transfers can only take place if one of the following conditions are met:

• Adequacy
  Adequacy occurs when the receiving country is judged to have data protection standards similar to those of the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures. A full list of countries with Adequacy Decisions can be found on the ICO Website
• EU Standard Contractual Clauses
  In the absence of an adequacy decision, Standard Contractual Clauses (SCCs) can be used, which the sender and the receiver of the personal data both sign up to. These comprise several specific contractual obligations designed to provide legal protection for personal data when transferred to 'third countries'

UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post-Brexit) have two options here as a lawful tool to comply with UK GDPR when making restricted transfers:

• The International Data Transfer Agreement, or
• The Addendum to the new EU SCCs

Exemptions may apply in limited circumstances, for example, where the transfer is done with the explicit consent of the individual whose data is being transferred and where they are informed of the possible risks.

Section 16 – Password Management

Bill Burr invented the theory of using upper- and lower-case letters mixed with numbers and special characters. Unfortunately, hackers have designed their password-cracking software to 'crack' this type of password, so it is no longer secure. He now advises using four unrelated words, such as 'moon rapport deckchair towel'.

Agilio recommends that all computer users install a password manager such as Dashlane. This helps the user easily manage different passwords for each login. It also completes the name, address, or credit card details into a website form, saving the user time. Some people are concerned that password managers may be hacked; however, as Agilio knows, this hasn't happened, and we successfully use Dashlane.

Section 17 – Multi-factor Authentication

Multi-factor authentication (MFA) provides more security to users than just using a password; for example, along with the password, users are asked to enter a one-time code sent to their email, mobile phone, or authenticator app. This makes it more difficult for unauthorised users to gain access to the account and is considered by the ICO as an additional security measure that organisations should consider for protecting access to personal and/or sensitive data.

When considering the use of MFA, the following steps should be taken:

• Assess your current systems:
  • Identify all systems that can be accessed from the internet, such as email, digital social care records, and any cloud-based systems
  • Speak with your software and IT suppliers to understand the MFA options available for these systems
• Identify potential challenges:
  • Consider situations where staff might share devices or logins, which could complicate MFA implementation
  • Assess whether any existing security measures may already provide sufficient protection without the need for MFA
• Make decisions on security versus usability
  • Determine the appropriate level of security for each system based on the sensitivity of the information it handles and the ease of use for the team
  • Balance the need for strong security with the potential impact on daily operations
• Document and report exceptions
  • If the decision is not to implement MFA for specific systems, you should record this decision and the reasons. Ensure there is a clear understanding of the risks involved and the rationale behind the decision

Section 18 – Phishing

Cybercriminals often obtain usernames and passwords by sending emails that appear to originate from a well-known bank or other service provider, such as PayPal or Netflix. These emails usually have a link that says, 'Click here to reset your password,' and a strong message to drive the action, such as 'Take action now, account suspended.'

Many ransomware attacks are perpetrated by inadvertently clicking on an unknown link, which may install malware on a device or computer. When the link is clicked, the 'ransomware' may encrypt the computer, rendering it useless unless you pay a large amount to the criminals who have sent the malware.

Requests for money

There are many ingenious ways that money can be stolen using email. These include:

• An email that seems to come from a friend who is in trouble
• An email that requests a bill to be paid to a different account than usual or that asks for a fund transfer for any reason
• Emails that appear to come from a manager requesting the transfer of funds
• Emails that ask you to reset bank usernames and passwords
• Emails that ask for your personal details, such as your date of birth

Whenever an email like this is received, team members should contact the sender by telephone to confirm and only use the telephone number they can confirm is the correct phone number of the supposed sender.

Section 19 – Training

All staff need to be provided with a basic level of training in key areas of data protection, such as handling requests, data sharing, information security, personal data breaches, and records management. This needs to be covered during induction, and refresher training should be provided at appropriate intervals thereafter. The ICO advise that induction training is to be carried out before accessing personal data and within one month of the start date.

The ICO expects a 'Training Needs Analysis' (M 217V) to be completed to demonstrate staff training needs and help identify the level of training required across the team. Those providing the training need to be appropriately trained themselves. This can, therefore, be undertaken in-house or via an appropriate training course.

Specialist roles such as DPOs are also expected to receive additional training and professional development beyond the introductory level provided to staff. This can be achieved through dedicated CPD training, such as the iLearn course – The Role of a Data Protection Officer.

Section 20 – Breach Notification

UK GDPR provides specific breach notification rules, including that Practices must notify the relevant supervisory authority, the ICO, within 72 hours of becoming aware of it. If the breach is likely to have "a significant detrimental effect on individuals," those persons need to be notified without unnecessary delay. Failure to notify a breach can result in a fine of up to 4% of the annual global turnover, or £17.5 million (whichever is greater).