If you’ve kept your eye on the news, you’ll know that the General Data Protection Regulations are due to come into force as of the 25th of May 2018. However, most dental clinics have little understanding of what the GDPR guidelines mean and how they will affect the day to day workings of their practice.
The General Data Protection Regulations
Commonly known as the GDPR, the General Data Protection Regulations (EU) 2016/679 has been enacted by the European Union to provide an easy to understand, single source which governs how data is collected, used and stored. In addition, this set of regulations also covers the export of data collected within the European Union and sent to areas outside the law’s jurisdiction.
The purpose of the regulations is to empower citizens with the right to choose how their data is used in an increasingly complex environment. In addition, it will assist international businesses in creating information management systems that respect the privacy and data of their customer base.
Addressing a growing concern
The selling of patient information has been the biggest concern facing businesses and individuals in recent times. In order to stem the trade of personal data, the regulations empower individuals with the rights to request to see what types of information businesses store, how that information is being used, where the information was initially obtained, and ultimately empowers people with the right to request their information be permanently deleted.
There is a growing trend towards individuals wishing to exercise control over their information in the public domain. The GDPR has stepped in creating an enforceable framework that sets out exactly what businesses can and cannot do, which is important as data is currently being used too freely and in ways, individuals do not approve of through a lack of acquired consent.
The importance of a data professional
Many clinics employ someone to take charge of the entire organisations data or assign this role to a current employee as a branch of their daily task set. This individual, sometimes known as a Data Controller, is an invaluable asset to your dental practice.
The responsibilities of a Data Controller include the routine auditing of data security, actively ensuring data collected is in line with current standards and ensuring all elements of the business comply with the Information Commissioners Office as well as the Data Protection Act, and the soon to be enforced General Data Protection Regulations. As such, the person responsible for your current data management is required to do extra checks to make sure the business complies with the refreshed standards of the GDPR.
An updated privacy policy
The first thing your dental practice needs to do is update and display a Privacy Policy which confirms and informs patients of their rights and the clinic’s responsibilities under the GDPR framework. The rights you need to include in your updated Privacy Policy include:
- The right to be informed of how your personal data is being used.
- The right to access your personal data held by the dental clinic.
- The right to rectify any held data you feel is incorrect or insufficient.
- The right to delete data you do not consent for the dental clinic to hold.
- The right to prevent the business from processing your data.
- The right to the easy movement of held data.
- The right to object to any aspect of the data storage, collection or security process.
- The right to be free of automatic profiling targeting you for your inclusion in specific predetermined demographics.
Moving beyond the Data Protection Policy
The Data Protection Policy, also known as the DPA, has governed patient data rights up until now. When compared with the General Data Protection Regulations, the Data Protection Policy is similar when it comes to patient rights, but the GDPR provides a higher level of clarity as well as direction in terms of what a business must do in order to deliver those rights to individuals.
If your business already complies with the standard expectations of the DPA, then it should be relatively straightforward for you to comply with the incoming GDPR. However, because this is all new, it means it is a great time for you to do a data and procedural audit, to ensure you check off every detail.
Procedures and policies
A great way to get started with compliance is to ask yourself what you will do in the following situations:
- What is your process for confirming your patient list consents to having data collected?
- What types of information does your clinic collect in person and online and what is the purpose of this data collection?
- Who is responsible for handling data related queries and complaints? Do they know the first step in resolving patient data issues?
- What would your staff members do if a patient requested to have their data erased from your system? What list of tasks do they need to work through to execute this request effectively?
The implication for marketing campaigns
Effective marketing campaigns rely on having a potential and existing patient list to direct efforts towards, but this represents a problem when it comes to consent. The GDPR steps in to provide a clear line which helps guide us on how to create effective marketing campaigns that aren’t unwanted mail.
Also, when we engage in marketing activity, we are also in the process of collecting data. This data includes most of the contact points your current, and potential patients have with your online presence, including:
- The mechanisms you use to track visitors to your website.
- Any data collected through pay per click advertising or embedded advertising campaigns.
- Any data input into online forms, such as the standard template used when patients wish to make an appointment.
- Any identifying information or related email addressed used when signing up for regular emails, newsletters, or special offers.
- All information collected via your dental clinics Facebook page and related campaigns.
Data collection via tracked visitors
The most common form of data collection utilised by businesses with an online presence is cookies, which allow businesses to learn about their clients’ preferences. However, cookies can be seen as invasive and as such, it is important for you to update your cookie policy as well as enact policies to act in accordance.
Updating your Cookie Policy
As it is important to inform patients, your Cookie Policy should include the following things:
- What cookies are and how they function.
- How your dental clinic uses cookies.
- Information on how patients can disable cookies if they choose to do so.
- Information relating to third party cookies, such as Google Analytics.
- Information on how cookies are used to provide you with targeted campaigns.
Guidance for obtaining patient leads online
The most common way dental practices obtain new patient leads is through a contact form on their landing page. When a potential patient submits information through your contact page, they are at the same time providing consent that they wish to be responded to for what they have requested.
However, if you wish to contact patients beyond this, say to promote a new service or offer a discount, or simply issue a newsletter, then you need to expressly ask your patient whether they wish to opt in for this service.
Opt in button
The most common method dental practices use to obtain consent is to add an opt-in button to a contact form which requires patients to check the box to receive communications.
In addition to obtaining consent, you must ensure your practice maintains records of where and how consent was obtained. This is important should your method of consent come into question, as you will need to provide evidence that this has been done in a compliant manner.
Additional security issues
The most common way dental clinics obtain new patient leads is through a contact page on their website. However, most dental clinics do not realise this method is not generally secure.
To ensure your data is secure, you will need to have an active SSL certificate, which encrypts the data being sent which protects it from hackers. Visitors to your website will see your page is SSL protected through a padlock symbol in the browser, providing an extra layer of confidence for patients submitting their personal information.
Moving forward with the GDPR
To move forward with the GDPR, you will need to make sure your current patient list and corresponding email addresses are audited and up-to-date with regards to consent. If you send emails without doing so, your business emails can be marked as spam, meaning they won’t appear in any inboxes, but you’ll also be liable under the new laws as set out by the GDPR.
As well as offering an opt-in box online, you can also place an opt-in box on physical forms that patients fill in at the desk when they first arrive in your clinic. The benefit of this method is that it is a physical copy of consent, meaning it is easily accessible should you need it for auditing purposes.
With adequate planning, the General Data Protection Regulations do not have to be a burden. In fact, aligning your practice with these regulations is the perfect extension to patient-focused care and should be a priority for every proactive clinic to implement well before the end of May.