Mayday! Mayday! There may be trouble ahead…
The upcoming new data protection regulations may be distressing for dentists, but ignoring them will cost you dear. Dental marketing expert, Shaz Memon, wades through the changes to help you safely to the ‘other side’.
The heavy cloud that is the new General Data Protection Regulations (GDPR) is looming on the horizon. Although the day it is to be implemented (25 May) might seem a long way off, dentists are advised to address the new regulations sooner rather than later if they are to be 100% compliant once the new laws are in force.
With the fines for being anyway off point eye-wateringly high, it appears prudent to plan ahead. A well-managed transition will reap benefits in the long run. So, allow yourself enough time to consider every aspect of your patients’ personal information in order to navigate your way safely around hazardous blips and glitches.
In a nutshell, in May 2016 the European parliament gave members two years to implement new regulations that will overwrite the current Data Protection Act.
Despite Brexit, the GDPR will come into force and, with them, a whole raft of necessary requirements for any business handling personal data – and that affects dental practices, of course.
If your practice ticks all the boxes in meeting the main principles of the Data Protection Act (DPA) – and is, therefore, complying with current law – most of your compliance will remain valid. However, should you fall short of complying with sensitive personal data and personal data, be warned – fines are punitive!
The differences between the DPA and the new GDPR are expansive and mind-blowingly complex. In all honesty, it’s taken a lot of investment of time to get to grips with understanding them.
Key changes include:
- A greater emphasis on the documentation that data controllers must keep to demonstrate accountability
- An expectation to provide individuals with more information about their personal data
- A need to review approaches in order to govern and manage data protection
- A greater emphasis on the individual’s rights about personal data
- A requirement to meet any access requests
- A need to obtain consent
- A duty to report any breach in data protection
- An expectation to conduct privacy impact assessments in order to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy
- A need to appoint a data protection officer.
The GDPR applies to personal data and sensitive personal data. However, sensitive personal data is to be referred to as ‘special categories of personal data’.
Additionally, the definition of personal data, under GDPR, is more detailed to include online identifiers – and even covers data using artificial identifiers or pseudonyms.
So, specifically, what does this mean for you and your dental marketing?
If your business uses email marketing, sends direct mail or makes sales calls, GDPR affects what you can and cannot do – so, some things you are allowed to do today will no longer apply post-GDPR D-day.
Firstly, I’d advise that you audit your website after you have read the comprehensive ICO guide and work out how to implement the new changes and make sure your team understands the implications, too.
Digitally speaking, you will also need to reassess collection and storage management of data.
For example, do you use any tracking tools on your website, such as Google Analytics?
People have the right to know what personal information you’re storing about them as well as what you might do with that data.
The law applies to any data that can be traced back to an individual – and that even includes things like their computer’s IP address.
You may have to consider upgrading to a secure server. Internet browsers are already issuing warnings about sites not on a secure server – and this could deter anyone making an enquiry on your website.
You will also need to consider an opt in/opt out option for online forms – and you need to record when they gave you permission and log exactly what they were shown when they opted in.
Digital age and consent
There also needs to be proof of consent – explicitly given – and it is important to remember that data can only be used for the purpose for which consent has been given.
So, if someone contacts you via your practice website with an enquiry of some kind, this does not give you automatic permission to add them to your email mailing list.
When it comes to pseudonymisation, there is a little ambiguity here. Encryption is fine and practices that use HTTPS to send data over, using an encrypted connection, are more secure. So, if your website has an SSL certificate, that’s halfway there. But, if stored unencrypted, personal data would be vulnerable should a breach occur.
In essence, although pseudonymous data is not exempt from the regulation altogether, the GDPR relaxes several requirements on controllers that use the technique.
Cost of non-compliance
Not yet convinced to get cracking or prepared to ramp up your data protection? Here’s the killer blow – maximum fines for data breaches may be as much as €20 million or, alternatively, 4% of your company’s annual global turnover.
Data is a liability so, unless you need to keep it, delete it! Only collect information that you need for a specific purpose, obviously keep it secure and ensure it is relevant and up to date. Remember that consent can be withdrawn at any time and patients can request to see the information you hold on them whenever they wish.
Note, too, that any dedicated data controller must register with the Information Commissioner’s Office (ICO). You can find further advice, a self-assessment toolkit and numerous other supporting documents on its website ico.org.uk/for-organisations/business.
So, get those tick boxes in order – oh, and don’t forget those website tick boxes cannot be pre-ticked – and do plan ahead.
With a ‘take home’ message that you need to handle each and every one of your clients’ personal data with the optimum care, start making the necessary changes not only to meet the GDPR requirements on time, but to protect your brand, too.
GDPR will no doubt prove to be a bit of a ‘hot potato’ – with companies perhaps trying to pass the buck when it comes to liability.
However, despite the temptation to put it on the back burner for now, it will most certainly be a hot topic as May fast approaches.
Dentists would be wise to consider the risks of non-compliance immediately so that their business can ride these wave of changes confidently.
For more information visit digimax.dental.