Do the new GDPR Rulings worry you?
On the 25th of May 2018, GDPR (the General Data Protection Regulation) compliance will come into effect for all practice websites that capture data via contact forms, online registrations, e-mail sign ups and even personal e-mails.
The GDPR’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy.
Why You Should Care About the GDPR
As the UK is still part of the EU, the GDPR will apply to any practice that collects data from EU citizens. This means that if you’re running a practice website with registration enabled, the GDPR technically applies to you.
The GDPR can impose several types of penalties. For example, you could get fined 2% of your annual revenue for failing to disclose a data breach, or up to 4% for failing to ask for user consent when storing data. These are steep fines. However, the good news is that complying with the GDPR on your practice website is relatively simple.
How to comply with the GDPR
Here are the four main rights that the GDPR grants to users and how to comply with each of them:
- Breach notification. Under the GDPR, you must inform your users within 72 hours if any breach occurs that might compromise their data.
- Right to access. Users have a right to access the information you have about them.
- Right to be forgotten. Your users have the right to ask you to delete their accounts and all personal information you have. You may also need to cease sharing that information with third-party services.
- Privacy by design. You may be held liable for data breaches if your system isn’t secure by design. In other words, you can be held responsible for failing to take precautions to protect user information if your website is set up in WordPress for example without proper backend security.
What does it actually mean to you the practice owner and us the practice website managers?
In reality, nothing much has changed from the cookie law or any other rules and regulations that control what data we as vets collect on our websites.
As long as you allow all your practice website visitors to OPT IN and give them a clear indication of how you intend to use their data.
Give explicit instructions on how to get removed from a mailing list or your stored data (remember, if you have details of clients in your records and they want that deleted; you must for tax purposes inform them that you will keep that data for up to 7 years in order to comply with your tax office but, will not use it for any other reason).
For any contact forms or online registration forms or repeat prescription forms, there needs to be a clearly visible link to the practice privacy disclaimer.
RCVS INFORMATION ABOUT GDPR & FAQ'S
Will the GDPR still apply when the UK leaves the EU?
Yes, the UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Does the GDPR apply to data about animals?
No, the GDPR applies to data that can identify a living individual. This does not include animals.
Do I need to register with the ICO?
Under current data protection law, organisations that process personal information are required to notify the ICO, as data controllers (unless exempt), and explain what personal data is collected and what is done with it. They are also required to pay a notification fee, based on their size which is currently £35 to £500. When the GDPR comes into effect there will no longer be a requirement to notifythe ICO in this way, however there will still be a legal requirement for data controllers to pay the ICO the data protection fee outlined above.
How can my practice inform individuals how we process their personal data?
By ensuring that your practice’s privacy notices are clear, concise, transparent and easily accessible. The ICO website has helpful guidance which will assist in the preparation of such a notice.
What does my practice do if a client makes a subject access request?
First check the request is in writing (a requirement) and then ensure you respond, ordinarily within a month. A request would most commonly be made where a person wants to see a copy of the information a practice holds about them.
Do I have to erase a client’s data if they ask me to?
If the lawful basis for processing the data is consent, and consent is withdrawn, then you must comply with the request unless you have another legal ground for processing the data.
If, however, you are processing the data on another lawful basis, you need to weigh up whether you are justified in retaining the information, or some of it. If in doubt, check with the ICO.
If a client moves to another practice does that mean that they have automatically asked to be forgotten?
No, but you should consider whether you still have a lawful basis for retaining the data such a legitimate interest, eg a potential fee dispute.
What is a data breach?
The loss, damage or destruction of data, or the unauthorised disclosure, access or alteration of personal data, eg typing the wrong email address and sending personal data regarding Mr X to Mrs Y.
If there is a data breach, should I inform the individual concerned?
Yes, if the breach is likely to result in a high risk to that individual’s rights and freedoms. – https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/
What impact does the GDPR have on sharing of patient history when referring?
Information relating to the animals is not affected by the GDPR. You will need a lawful basis for transferring a client’s data, such as consent. You should be clear about what client data on file you have consent to transfer to the new practice; a client may not want you to transfer personal data relating to bills/invoices.