GDPR: What does it actually mean for my Healthcare Business?
Following on from a very active thread in or facebook group: Practice Nav; Tips to run your clinic I decided to try and demystify what GDPR is and what implications its going to have for healthcare practitioners.
This is a vast topic so in this part 1, I will aim to outline the background and what you should start to do to prepare.
There is a growing sense of panic in the air with the whisper of large fines and companies going out of business but what are we realistically likely to see happen?
Before we delve into that let’s get some key pieces of info:
GDPR stands for General Data Protection Regulation
GDPR is a substantial overhaul of the data protection laws brining it in line with the difigtal world of facebook/twitter etc
Data Processor: “Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. An example of this would be mailchimp if you have your software integrated with them.
Data Controller: “Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. E.g. This is most likely you in your clinic.
– 25th May 2018 is a very important date indeed (it’s my wedding anniversary so that’s super important) but it’s also the day when new EU Legislation will come into force.
The stakes will be raised even higher for the data protection and handling of your clients information.
Every EU citizen has the right to have their data protected.
If there are recognised failings in this after the aforementioned date then you/your business will be liable for a penalty for each recognised incidence.
It will be up to 4% of your annual turnover or up to £20 million, that is indeed a hefty sum!!
What falls under the Personal Data Umbrella?
– The usual stuff such as new patient paperwork that includes patients name, address, telephone etc
– Bank Account and card details
– Dictations of patient identifiable information
– Videos of patients doing exercises often stored on phones i pads and laptops
– Usernames and passwords for sign ups you may have distributed to them
And many more examples
So what are the implications:
– Every patient has the right to know exactly what information you have stored about them. They can access this information and it needs to be available to access on request
– You must have consent to send people marketing information. The pre mentioned penalty may apply if you do not have their consent to market to them
The general advice is that you/your business should complete an audit using the following as a simple criteria when reviewing how you handle data:
What data is being collected? E.g. Name, Date of Birth, Address, E Mail Address.
Where is the data sourced? E.g. Client attending clinic provides on site
Why is the data collected? E.g. To assist with client care and communication with their GP for example
How is it processed? E.g. Written in clinic on new patient form, immediately entered on cloud based patient management system and then paperwork shredded.
Who has access? E.g. Treating clinician
How long is the data retained? E.g. 7 years minimum after the clients last treatment session in line with Healthcare profession governing guidelines.
So a lot of people will be wondering what information is to be considered when gaining Consent.
The below is a very useful checklist to consider when looking to obtain consent
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give individual (‘granular’) options to consent separately to different purposes and types of processing.
- We name our organisation and any third party controllers who will be relying on the consent. •We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
- As of May 2018 you client will have to right to access any information that you may have about them.
- They have the right to know how it will be handled and who you will be sending it to.
- You need to have informed consent to market to clients after the GDPR commencement date.
- If there a data breach for example and email sent to the wrong client then the obligation is on the business to inform the controlling body (ICO) in the UK within 72 hours.
- You may consider conducting a data audit to assess how much data it is you actually have and how this is processed.
- Your organisation and those working there need to be fully versed in their roles with regard to GDPR compliant personal data handling.
- Designate a Data Protection Officer
This will help you prepare for the pending changes and we anticipate that come mid April we will have clearer information on the actual steps required to best structure your clinic to limit your exposure to issues post introduction of GDPR.
The above information is garnered from a lot of reading I have done around the topic.
I would always recommend formal advice from an expert in this area if you wish to gain a true in depth understanding of the topic outlined.
Useful Links to read more:
ICO Website: PDF on how to prepare for GDPR
ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
GDPR for small business: https://www.simplybusiness.co.uk/knowledge/articles/2017/11/what-is-gdpr-forsmall-business/