GDPR gives back control to individuals over the data that companies hold on them, and will harmonise European data legislation.

However, the new Data Protection Act, which came into force at the same time as GDPR, has complicated the situation for optometrists. All ‘public authorities’, which include primary care providers such as practices offering General Ophthalmic Services (GOS), now have a statutory requirement to appoint a data protection officer (DPO) or use the services of one. The Information Commissioner’s Office (ICO) states that DPOs must be independent, adequately resourced and experts in data protection.

The Optical Confederation (OC), which opposed the classification of smaller, high-street practices as public authorities, said that a DPO “will place a disproportionate and costly new burden on small businesses that provide NHS services, going far beyond the requirements of GDPR.” One provider offering NHS services and employing three practitioners was quoted more than £11,000 for an external company to provide DPO support for a year (OC, 2018). However, the ICO has indicated that it will be pragmatic in its approach and that providers should be proportionate in the measures they take to comply with GDPR. At the time of going to press, the OC were continuing to work with the ICO and the NHS so that it, and the College, can provide new guidance. However, the OC still cautions against appointing an expensive external provider.

Login to read the rest of this article.