With the 25 May deadline looming, GDPR (the General Data Protection Regulation) is the current hot topic on everyone’s lips. However, it is often whispered in slightly hushed tones, or through gritted teeth, by those who are concerned, worried or even burying their heads in the sand about it!
What’s it all about?
GDPR is a European regulation that was subject to four years of debate before being approved in April 2016. It comes into force on 25 May 2018, by which time all organisations must ensure they are compliant with the new regulations.
The new regulations are designed to protect individuals and ensure that their data is being used for legitimate reasons. This means that whenever you collect any information about individuals you must specify why, and the data must only be pertinent to the needs of your business. For example, updating medical history is important for understanding each patient’s specific dental needs, collecting contact information is vital for aftercare and appointment reminders, but asking for something like an inside leg measurement or eye colour would be useless data for your business and therefore unnecessary!
Does it affect you?
Yes, GDPR will affect any firms that handle the data of individuals. As a dental practice you will hold data about your patients, from their medical history to their contact details, as well as data in relation to your staff, such as contact and HR details.
There’s no getting around it, because this data is necessary for you to run your business in the most efficient and compliant manner, which is why you need to look at your existing data protection policies and procedures and update them in accordance with the new GDPR regulations to ensure compliance by the 25 May 2018 deadline.
Some areas that you need to think about…
As a healthcare establishment, you will already be up to date and compliant with the current regulations on data security, so the changes are not as horrendous as many people like to make out. It’s a case of looking into how securely your data is stored, legitimising why you have the data that you have, ensuring you have consent to hold and use the data is specific ways, and processing it in a compliant manner.
- Patient data
As mentioned above, you must only hold patient data that is relevant for a specific purpose and you must only retain it for as long as you need it. The data must be kept secure, and you must have a system in place that allows patients access to their own data if they request it. You will also need to register with the Information Commissioner’s Office (ICO) as a data controller here, https://ico.org.uk/for-organisations/register/.
The ICO has put together a really handy guide, which is well worth a read: https://ico.org.uk/for-organisations/health/
If you use patient data for marketing purposes, such as sending out newsletters or special offers to your patients, you must ensure that every contact on that list has actively provided consent for you to do so. Because the GDPR regulations are all about clarity, you need to have specific permission to use this data to contact people for marketing purposes, using an ‘opt-in’ function for consent to be given. An opt-in method would be a box to tick (an untick option is no longer compliant). You should also retain proof of this consent.
Under GDPR, the ability to withdraw consent at a later date must also be provided, so you should include details as to how patients can do this. Any marketing emails that you send must have an unsubscribe function, and you must act upon this request with immediate effect.
- Social media
All of the social media platforms are now GDPR compliant, so anything you do within these will ensure that you are, too. However, your activity outside of these platforms must also be compliant; so if you add data or remove it from these platforms the onus will be on you to ensure your activity is within the regulations. If you use third party software for scheduling or analytics, double check that their policies have been updated to reflect the new regulations, it is not enough to simply assume.
The obligations on your use of data and the rights of individuals under GDPR don’t only relate to your patients, but to your staff, too. There is the same focus on transparency, so employees should be able to find out what data you hold on them and why, as well as where that data is stored. They can also request a copy of any data you hold, and you must be able to easily supply that, so it is worth having a system in place that allows for this.
Seek expert help
As with any change, there is a lot of scaremongering about GDPR, the subject seems to be hyped up as there being ‘so much to do’ with the constant looming fear of hefty fines for non-compliance. The fines are very real, so it is prudent to get your head around the changes you need to make within your practice and start putting the wheels in motion now, before the deadline hits.
The advice provided here is not all-encompassing and we strongly suggest that you do your own research – the ICO is a great place to start, https://ico.org.uk – and perhaps employ the services of a specialist company or consultant to guide you through the process and ensure that you are fully up to date prior to the deadline.
- On 18th April 2018