The European Union’s biggest personal data reform since 1995, the General Data Protection Regulation (GDPR) comes into effect on May 25th 2018. Good news for consumers who will have control of their personal data, but is your company ready for the changes and how can you avoid a fine?
The foundations of the GDPR are accountability, consent and data subject rights. Essentially, any organisation that holds the personal data of Europeans is required to be a good custodian of that data and treat it in a fair, lawful and transparent manner.
Is my company affected?
Any company that collects, processes and/or stores personal data about an individual who is an EU citizen is considered to be a data controller and is fully responsible for complying with the GDPR. The onus is also on the data controller to ensure that any organisation, person or public authority which processes personal data on its behalf (the data processor) is GDPR compliant.
“I don’t know if I am ready”
The deadline to get GDPR-compliant is looming, but it’s not too late to take steps:
To comply with the GDPR, privacy notices should be easy to find, easy to use, written in clear, plain language and free of charge. They should document:
- The name and contact details of your organisation, and your data controller
- Lawful basis for processing personal data (e.g. laws/DOH/GMC)
- The categories of personal data concerned (and how you collect it)
- How long data will be retained (e.g. put a URL link to NHS Records Management code for retention summary)
- A list of the patient’s rights
- Recipients of personal data (sharing of data)
- Safeguards if data is transferred outside of the EU
- A description of your tech and organisational security
Data audit flow
You should document:
- Where you are entering data? (laptop / Practice Management System / iPhone / Dictaphone)
- Who are you sharing this data with, and how are you sending it?
- How are you backing up data? (Time Machine / iDrive)
- Is your data in the EU?
To be compliant with the GDPR, your security needs to be designed to fit the nature of the personal data that you hold – for companies that handle special category data such as those in the private healthcare industry, it has to be very robust, with encrypted hardware. Regulatory action may, and indeed already has, followed where a lack of encryption has led to data loss.
Your email provider is effectively a data processor, so it is important to use one that can guarantee that the GDPR requirements will be met:
- Move away from free Gmail, and other free providers
- Consider Microsoft Office 365 + Egress Switch
- You may want to consider customised seamless encryption
Data breach policy
- You must be able to detect, report and investigate breaches
- You need to have a process that you, or your staff can follow if a breach occurs, and it needs to be in a document
- Egress Switch can enable you to track email and evoke access
Subject access requests
A subject access request is most often used by individuals who want to see a copy of the information that an organisation holds about them. Companies have 30 days to action this, but can refuse ‘excessive requests’. You should:
- Decide who is going to handle requests, and how difficult the practicalities of that might be (clinic notes /gathering in all the emails / investigation results etc.)
- Consider proper practice management software
- Consider Microsoft Office 355 (‘Data Subject Request’ in its GDPR dashboard).
You need to have a Cookies Policy, either as part of your privacy notice or as a separate document. The policy should state:
- What type of cookies
- How long do they hang around on your user’s browser
- What data they track and for what purpose (functionality / performance / statistics / marketing)
- Where the data is sent, and with whom it’s shared
Email lists and marketing
Having an email list is good for private practice growth, but it must be GDPR compliant, i.e. the consumer’s consent needs to be sought to receive marketing information.
- Explicit consent is best – consider using marketing software
- Consider regaining consent for those you send blogs/marketing to before May 25th 2018. Delete the non-consenters on your marketing list
- Your email sign up box should include:
- A positive action to opt in (click/tick) – granular
- Tell them what you will do with this data
- Signing up must be independent of ‘incentives’
- Double opt-in is a great way to prove consent
- Explain how subscribers can unsubscribe
Don’t panic, but do get going
In today’s world, data is valuable and those companies who can show that they can handle personal data in a responsible manner with transparency and respect are set to reap the rewards in the form of customer trust and loyalty. The task may seem complex, but with a little research and organisation, it shouldn’t feel like a struggle.
If you haven’t already started the main things to prioritise are:
- Sending out an email to all those on your email marketing list to get explicit consent – then delete the rest after 25th May
- Write that Privacy Notice!
- Get going with email encryption
Need a little help? – get in touch for a chat: