Is your dental practice ready for GDPR?
DENTAL BULLETIN, ISSUE 61
What is the GDPR?
The GDPR is a new set of rules which will apply to all organisations that collect or retain personal identifiable data from any European individual. The idea behind it is to standardise data privacy laws and mechanisms across industries, and to ensure that fundamental rights of individuals are protected in today’s increasingly data-driven digital economy.
6 Things you need to know now
It is extremely important that everyone in your dental practice is made aware of the rules surrounding the new data regulation. Preparing for the GDPR will require changes in the practice’s culture, which you should start to plan in advance of the May 2018 deadline. Keeping everyone informed will ensure that your practice follows the proper procedure, and the GDPR is handled with the utmost care.
Here are 6 steps that will help your practice prepare for the changes today.
1. Article 7 GDPR – Consent
Under the new regulation, dental practices will be required to keep a record of how and when the patient gives consent to store and use their personal data. Consent will need to be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Consent cannot be inferred from silence or inactivity of the user.
Further requests for consent will need to be separate from other terms of engagement. In practical terms this means you will need to clearly explain to your patients what you are intending to do with their personal data.
It must be borne in mind that consent once given can be revoked, and it must be made equally easy to withdraw consent given.
The GDPR also introduces a requirement for parental consent. Where services are offered directly to a child, practices will need parental consent to process the data of under 16s.
To do list:
– Identify the categories of personal data processed within your practice.
– Consider the legal basis applicable to the processing of personal data within your practice, and make sure these grounds will still be complied with the GDPR.
– Where consent is relied on, check that it will be: freely given, specific, informed, and unambiguous.
– Consider introducing processes to promptly honour any withdrawals of consent.
– Make sure you keep a record of consents given to demonstrate compliance.
2. Articles 12-15 GDPR – Privacy notice
Aside from the need to obtain consent, your practice will be under an obligation to ensure that the processing of data is fair and lawful. Also, appropriate information must be given to your patients as to how their data is to be used. This is normally done in the form of a privacy notice. The GDPR has a mandatory list of the information which must be given to patients where data is obtained directly or indirectly from them. You will be expected to explain to your patients what data relating to them will be collected, how it will be used, the purposes for which it will be used and how their data may be shared.
To do list:
– Get to know your data. Consider what information is being collected, who is collecting it, how and why it is being collected.
– Consider how the information obtained will be used and who will it be shared with.
– Consider what possible effect the information obtained could have on the patients concerned.
– Consider building a data catalogue (if you haven’t got one in place) and drafting a meaningful privacy notice.
3. Article 30 GDPR – Records of Processing Activities
There will be a significant change to records of processing activities. The GDPR does not distinguish between internal and external records anymore. Dental practices will now require only one kind of record: an on-demand internal record. A practice will be required to maintain records of the entire practice’s processing activities internally. Moreover, these will need to be available to supervisory authorities upon request.
To do list:
– Consider implementing measures to prepare records of your practice’s processing activities.
– Consider introducing a full compliance program for your practice incorporating features such as regular audits, HR policy reviews, and training.
4. Articles 37-39 GDPR – Data Protection Officer
You will be required to appoint a Data Protection Officer (DPO) if the dental practice is:
– A public authority (except for courts acting in their judicial capacity) (Art. 37(1)(a));
– Carrying out systematic monitoring of individuals on a large scale (Art.37(1)(b)); or
– Carrying out processing of special categories of data or data relating to criminal convictions and offences on a large scale (Art.37(1)(c)).
Dentists providing NHS care will be regarded as public authorities. Thus, even a small NHS practice will require a DPO. It is anticipated that the Clinical Commissioning Groups (CCGs) will be providing Data Protection Officers in primary care settings.
If you don’t want to recruit, it will be possible to appoint a single DPO to act for a group of practices, provided that a DPO is easily accessible from each establishment. Alternatively, you can contract the services out.
For those organisations to whom the requirements do not apply, they may still choose to appoint a DPO.
To do list:
– Assess whether your practice is obliged to appoint a DPO.
– Consider who will be your DPO.
– Consider whether your practice should appoint an internal or external DPO.
– Compile information on data processing activities within the practice.
– Ensure that those to whom you have designated responsibility, their duties do not lead to a conflict of interests of their own role.
5. Article 20 GDPR – Data Portability
The rights of individuals under GDPR are the same as those under the Data Protection Act 1998 with a significant enhancement of the right to data portability. Under the GDPR, patients will have the right to receive the personal data which they have previously provided in a ‘commonly used and machine readable format’, and have the right to transmit that data to another controller. This information will need to be provided free of charge, thus removing the previous £50 subject access fee for dental records. This will apply only to data processed by automatic means, and not to paper files.
To do list:
– Consider whether the technical capabilities of your practice will comply with data portability requests.
– Make your patients aware of their right to data portability. Does your company send out e-bulletins and/or newsletters? Let your subscribers know by including a short paragraph at the end of the article.
6. Article 84 GDPR – Penalties
Any practice in breach of GDPR can be fined up to 4% of annual global turnover (not profit) or €20 million – whichever is greater. This fine can be imposed for the most serious infringements, for example for not having sufficient customer consent to process data. The practice can also be fined 2% for not having their records in order, or for not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. In the case of a breach, practices will be required to report the breach to relevant authorities within 72 hours. The practice will be obliged to give full details of the breach and offer proposals for mitigating its effects.
You should be preparing for the new requirements that will affect your practice. Considering the above steps in the context of your practice is the very first step you can take in order to prepare for the upcoming legal changes. Do not assume that you will be able to claim innocence through ignorance of the rules – the whole point of the GDPR is to keep your company better protected and able to deal with breaches in security. If preparation is approached in the right way, your practice will be well-prepared in time for the regulation coming into force, and your business will be secured for years to come.
We will be running a workshop on 22nd February aimed at dental practices to help them prepare for the new GDPR requirements.
If you find this article interesting, please like and share it!
Agnes Biel, Paralegal