What GDPR means for clinics

I spent a day last week at a seminar about GDPR, swotting up on what has to be one of the most significant changes to Data driven marketing in my career. Despite it coming into effect on May 25th, few clinics I’ve spoken to are fully up to speed with what this new data protection legislation means to them or the steps they need to take to become compliant. It is complicated which is why i think people are postponing preparing for it but that's not going to be an option soon. Here’s a brief* overview of what it means for clinics and a few things you need to consider.

*Brief being the word here, go here for the ICO’s guide to GDPR.

What is it?

This new regulation looks to strengthen data protection across Europe (and no, Brexit isn’t going to change this). No business is exempt from these new rules and there are punitive implications for not complying.

What does it mean?

Data Breaches

This is a big one, back in October last year, hackers stole a huge amount of data from a cosmetic surgery clinic and held the clinic to ransom.

The GDPR is going to make reporting of all / any breaches mandatory. Any breach should be reported to the regulator, ideally within 72 hours. This breach could be unauthorised access to client files, a network breach, a lost mobile which has client contacts details on it, a misplaced laptop that has client images or data on it. Whoever has been affected by the breach, clients, patient etc also have to be made aware of the breach.

Practical Actions:

- Make someone in your clinic responsible for this

- Have a process in place for dealing with any data breaches

- Understand where data is, I’ve worked for practitioners where client data and images are on their personal mobile phone - terrible business practice. Stop this immediately and put in place a more controlled, secure and professional process.

- Communicate company wide data policy and make non-compliance a disciplinary issue

Consent and individual requests

Consent for personal data much now be much more detailed, clients now have to explicitly consent to exactly how you want to use that data and consent to each separate usage of the data. For example, you will have to ask for consent to use data for marketing, for financial (fraud) checks, for images and how they are going to be used: to track progress of treatments / to show other clients / to use on website etc.

Your reasons for holding client data needs to made clear to clients, they will also need to be made aware of the complaints process they can follow if they feel dissatisfied with your processes or performance.

Practical Actions:

-Review and understand every single data process within your business put in place distinct and separate consents for each. This can form your data register, a central point of all data info you collect. Store and use.

- This consent by the client must be easy to withdraw so you should develop a straightforward, uncomplicated process by which a client can withdraw their consent at any time.

- Have a plan for data requests. Clients can request access to their data and you are expected to respond within a month - have a process in place for requests of this nature.

-A few clinics i've spoken to are re-opting their database, i.e sending an email out and getting people to re-opt in to email comms. This will reduce the database volume significantly BUT on the bright side, those who opt in really want to hear from you - The Light Salon added a prize draw to theirs to encourage the opt ins which was smart.

Data Security

All data you keep needs to be secure and you are responsible for managing any vulnerabilities of your storage and having a plan in pace for these, paper records? Are they under lock and key who has access to them? Online record and images? How is information transferred across platforms? How is it encrypted? How easy it accessed? Password protected? Who has those passwords?

Practical actions

- Understand, minimise and address any potential risks for data breaches.

- You may want to consider insurance protection or get professional help on this.

- Track everything you’re doing, even if the worst happens, companies who have shown an active compliance in the regulations will be more supported than those who don’t

And finally, this is a great thing for our industry! It raises professional standards and gives clients additional security and peace of mind, be happy about the changes you’re making!