10 minute read.
GDPR is coming! Are you prepared? In this blog, I’ve tried to summarise the position relating to ‘marketing for dentists’.
What is GDPR?
GDPR is the General Data Protection Regulations (officially (EU) 2016/679). Whilst it may have new aspects it is not really new, it’s just an evolution of current European rules on data privacy and protection and aims to strengthen individuals’ rights regarding the collection, use and storage of their personal data. The penalty for ‘non-compliance’ can be up to 4% of turnover.
So, what Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data. eg Name, Address, Email address, NHS number, Location data, IP address (computer details used to access your website)
And, what is ‘Sensitive Personal Data’?
As the name implies this is a special class of data and includes Race, Health Status (ie oral health, dental records, treatments etc), Marital status etc.
What rights do patients have?
In essence your patients need to be assured you only store the data you need, you keep it secure and safe, you allow the patient to view it if they want, and if there are any errors, you will make any alterations the patient informs you about, and if they want the data ‘deleted’ you can activate this.
Data storage, Practice Management software etc
What do I have to do?
- Audit all personal data held – find out what you hold and why
- Document everything – plan and write down policies and procedures for:-
- Access requests – how will you fulfil any requests to view personal data held?
- Data security – detail what you’re doing to keep the data safe
- Data breaches – ensure you will know if there is a data breach! And who to inform
- Inform your audience – update your privacy statement – more detail below
- Identify a legal basis for all your personal data collection activities
- Consider having a Data Protection Officer (DPO)
- Breach notification – Under the GDPR compliance, if your website experiences a data breach of any kind, the breach needs to be communicated to your users. You’re therefore under a legal requirement to assess and monitor the security of your website. Here at Dental Design, we monitor all of our sites constantly, but if you’re not a client, you could install software such as ‘Wordfence’.
- Data collection, processing and storage –
- You need to provide an easy method for people to request the information you hold on them.
- You need to enable a person to alter/ correct the information, or have it permanently deleted if they desire.
- ‘Cookies’ are covered under the ‘ePrivacy regulation’, separate from GDPR. Its implementation date was supposed to coincide with GDPR, but it will likely be delayed as it’s still in draft!
- Whilst ‘secure servers’ ie SSL, HTTPS are not specifically covered by the GDPR, if you’re not hosted in this way, you (and your visitors) can’t be certain your data/ content is secure. Google will be warning surfers to your site if you are not on a secure server from June, and so not only do you risk data breaches, but also losing rankings and therefore visitors. So a bit of a ‘no-brainer’! As a result we now only host our clients on secure servers, if you’re not with Dental Design, speak to your web company to ensure you are ‘secure’!
- In the past only ‘referral forms’ ie those containing medical information, needed to use ‘secure form’ systems. The majority of forms on websites currently send the information via email to the practice. Therefore the data is travelling ‘insecurely’ over the internet from the form to your email account. To ensure the security of data a ‘secure form’ system whereupon the data is not transmitted, but merely ‘stored on the secure server’, and can only be downloaded using a specific password, is ‘best practice’. Here at Dental Design, we offer a ‘secure form ‘ option to all clients, and if you’re not with us, I’d recommend you ask your web company to install one for you to ensure you’re compliant.
This blog doesn’t propose to cover items 1, 2, 4 or 5 above, and we’d recommend you speak to your Defence Union, IT suppliers, Practice Management Software suppliers etc to get more detailed advice on these matters. But, at the bottom of the page, there are a number of links you may find useful.
You’re only a ‘small practice’ so are you affected by GDPR?
No matter how small you are you have to securely collect, store and use personal information. Whilst, ‘article 30’ of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR if you use the data regularly (ie practice management software), or have a ‘data breach’, GDPR will certainly apply to you, and therefore the potential fines!
You’re a dentist so does GDPR apply to you?
Many dentists feel that as ‘medical practitioners’ the rules don’t apply to them. Certainly, under point 4 above, you have a legal basis for collecting and storing data about your patients. But, you will still have to comply with data security etc, and, whilst you’re obviously entitled to email patients about ‘appointments’, if you’re deemed to be ‘marketing’ you will need to have received ‘permission’.
Okay, so with all the official info’ out of the way, and now that we’ve established that GDPR does apply to you, let’s talk about how to make sure your website is compliant:-
GDPR is very hot on the subject of direct marketing and it is clear that you must have received explicit consent from a person before you can email them.
As dentists you no doubt have collected over the years many many emails from your patients, and you would imagine that it’s ok for you to send recalls and reminders, but, to date, I’ve seen nothing in writing that confirms this. However, it is written that before you can market to anyone (so informing patients about a special offer, or new treatments available etc) you must have garnered ‘explicit consent’, so even if the tick box on your website’s form is set as ‘agree’ by default, this would count as a ‘violation’!
There are other implications too – if you wish to buy a mailing list, say from a local newspaper, you would be sending emails illegally to the recipients since no one explicitly asked to receive emails from you.
So, to my mind, best practice would be for you to email to every patient and ex-patient whose address you have, requesting them to ‘opt in’ to receive emails from you. You need to:-
- Clearly state what you will be emailing about, therefore specifically stating ‘marketing and promotional’ information.
- Keep a record as to when ‘consent’ was received
- Provide a method by which people can alter their permission, or opt out
- Once you have this ‘clean list’ you need to make sure it is constantly updated with all new emails you collect, and that everyone has ‘agreed’ to being mailed.
- If you don’t get ‘consent’ then remove the email from your list. If nothing else, it probably means the email address is out of date, and therefore not worth using!
So to sum up, GDPR compliance shouldn’t be too complicated for a small practice, but everyone needs to be thinking and acting to ensure they do not run the risk of falling foul to the changes.