This autumn Hospice UK organised four GDPR (General Data Protection Regulation) workshops for members. By the end of the programme more than 200 hospice staff had participated, but what are the long lasting lessons learnt from the programme?
The first is that GDPR training can be lively and interesting. Our partners Birketts provided an entertaining and interactive programme that did not allow attention to wander. To quote from one delegate “the trainer made a dry subject interesting!” There was much heated debate, whether it was about the fundraising case studies on tortoise conservation or the clinical problem of a student chaplain throwing away patient notes. As one delegate commented the first thing they were going to do when going back to their hospice is review why they held so much unnecessary information on patients.
Secondly, delegates discovered that GDPR covers the whole hospice organisation. Many times during the summer I had heard that it was only the fundraisers who would have to make changes to the way they worked. Or that the clinical teams were leading on the work and everyone would have to follow their lead. The workshops clearly demonstrated that GDPR is the responsibility of the whole organisation and that teams would have to work together to achieve the outcome that is right for their hospice. Where hospices sent teams from different areas to the workshops it was interesting to see them come together, understand each other’s issues and work to resolve problems.
The third lesson was that there is not a one size fits all approach to GDPR. Unlike a Gift Aid declaration where the wording is prescribed, the approach you take to GDPR depends on the circumstances of your hospice. Like modern maths, you need to show your workings and not just the end result. So once you have decided your course of action, you need to document your thought process, and ensure training across the organisation to ensure compliance.
There was also debate over Data Protection Officers and whether all hospices need to employ one. The advice from the Information Commissioners Office is not clear on this matter and Hospice UK has written seeking clarification. As soon as a response is received it will be communicated to members.
With many hospices having outsourced services e.g. lottery, payroll, and direct debit collection, it is vital that you have checked with your suppliers that they are compliant. One of the lessons learnt recently from national charities is that such relationships need to be closely monitored to avoid a reputational risk.
Finally, delegates learnt that the world will still continue to turn after 25 May 2018. That while GDPR is a big issue it is not insurmountable with the proper advice and planning. To this end the materials from the programme are available to everyone on the Hospice IQ GDPR resource tab and a forum has also been set up for questions and advice. See the Hospice UK website for further details.