If your immediate response is “what’s that?”, then the answer is probably no!
The General Data Protection Regulation is a new EU programme, and will come into UK law in May 2018. It is intended to provide enhanced protection for an individual’s privacy and personal data, and ALL organisations that hold any personal data and are based in, or trade with, the EU (including the UK) will be obliged to abide by them.
Failure to abide by the regulations may result in a fine of up to €20 million, or 4% of revenue, so it’s something your practice really needs to be aware of! However, this is also a massive opportunity for you, not just a threat… read on to find out how!
What about the Data Protection Act, and Brexit?
The GDPR will replace the Data Protection Act - many of the provisions are very similar, although the GDPR goes further (it puts more responsibility on Data Processors, for example) and accords data subjects (i.e. people whose data you hold) a series of specific rights. The Government has also confirmed that the GDPR will be incorporated into UK law, despite the Brexit negotiations.
OK, what do I need to do?
Fortunately, there’s a 12-step process to work through. There’s also really detailed guidance on the Information Commissioner’s Office website.
Make sure you know what’s coming! You need to know what the GDPR says and how that will impact your practice. Do not ignore this and hope it will go away!
2. Information you hold
You need to have a record kept of what Personal Data you hold, where it came from and who you share it with. Do you use gmail or Outlook? Then you’re sharing data with Google or Microsoft. Unless you run your own in-house practice management system (which is very unlikely!) then you have shared the data with the company that provides and services your PMS.
3. Privacy Notices
You should already have a privacy notice on your website, and one for your existing clients, explaining what data you collect on them. However, this may need to be updated to comply with the GDPR, especially the focus on Rights.
4. Individual’s Rights
Under the GDPR, individuals have a range of different Rights in relation to their data, including data deletion and Data Portability (transferring data in a machine readable format to another provider). Among other things, this means that if a client asks for clinical notes to be sent to another practice, you may need to provide them in an electronic common format, e.g. as a spreadsheet or digital document.
5. Access Requests
As now, individuals will be able to demand to see or amend their data if it is inaccurate; however, the timescales have changed.
6. Lawful Basis
You will need to keep a record of the data you keep, but also what your legal basis is for collecting, holding and processing that data.
At the moment, practices often operate on “implied consent” for data collection - we may no longer be able to do that. You must make sure your data consent procedures are as legally watertight as your clinical consent forms are!
It’s unlikely you are storing children’s Personal Data in most situations (and in general, our advice would be don’t go there!), but if you do, the rules have been tightened up, especially around verifying ages and getting parental consent for any data.
9. Data Breaches
As we saw earlier this year, data-breaches can happen even to the biggest organisations. Remember, a breach isn’t just theft of information - unauthorised modification of a file or record is now legally a Data Breach. If they do happen, there is now a legal obligation to have a Breach Protocol, and in many cases, the ICO must be informed.
10. Impact Assessments
This is part of the “Privacy by Design” idea, meaning that privacy should be built into any new project or system you build or use, from a new website down to a new consent form. In many cases, Data Protection Impact Assessments will be needed to ensure that individual’s privacy is respected at all times.
11. Data Protection Officers
You will need to allocate one member of staff to take responsibility for Data Protection compliance (and if my experience is anything to go by) you’ll need to allocate them some admin time: it can be quite time consuming to do it properly).
12. International Data
Remember, data sent outside the EU (e.g. to the US if you’re using Google, or Microsoft, or Dropbox) still needs to abide by the GDPR - so you’ll need to have formal documents to that effect from any overseas suppliers or providers.
If you need to know more…
The 12 steps above are taken from the ICO’s Preparing for the General Data Protection Regulation.
There’s a really good overview of the GDPR here.
The ICO have provided a Checklist here.
This is a legal requirement - but it could also be an opportunity for you.
Once you realise how much data you’re already holding, why not put it to use? Most practices seriously under-use their data. You have huge amounts of information on your clients, contact details and pet details, this can (perfectly legally) be used to market your services, reach out to specific groups, and even follow up potential sales.
Don’t just see the GDPR as one more heavy burden - if carried out carefully, it can open up new avenues in marketing and sales!
If you’d like to know more, contact us about our veterinary marketing programmes.