GDPR isn’t really a ‘one-size fits all’. We all collect and handle data in different ways. This means that we need to look at what we ourselves are doing to make sure we’re GDPR compliant within our practice.
There is no shortage of guidance and information, but there is a lot to process and consider.
It’s taken me several dedicated blocks of time to get my head around this myself. I’m also lucky to have some great people in my support team to help me.
Here’s what I’ve learned.
The main thing to grasp about GDPR is that it brings with it a shift in mindset.
It expressly introduces several principles that previously underpinned data protection law, such as the “accountability principle” and “privacy by design”, and encourages organisations to take more responsibility for protecting the personal data they handle.
Questions to ask yourself:
- Should I have this data at all?
- If I should have this data then what am I doing with it?
- Does the client/customer know I have this data and how I use it?
- Is the data protected adequately (both paper and electronic)?
- How long am I keeping it for and how will I destroy it?
This means that you need to think through all of your data collection and handling processes. It also means that you need to make sure your computer systems are as secure as possible.
You need to be transparent with your clients about how you collect and store their data, and what you use it for. This means that you need to make it explicit and to obtain a physical or digital signature to show that they have understood and given their consent.
These are the steps I’ve recently taken to ensure I’ve completed due diligence with respect to the GDPR legal requirements.
1/ Research into software systems for GDPR compliance
I spent a morning sitting, thinking and making notes for myself on where and how I collect, process and store my clients’ data.
I researched the software systems I use and checked whether they were GDPR compliant.
Your software systems may well be different from mine. You will need to check them yourself.
a) Get Timely* is my client booking system.
Each client has their own profile and this is very useful as it helps me to check back on dates of appointments, payments received and so on.
I checked their GDPR status and found this statement on their blog:
“Here at Timely, we’re busy preparing for these upcoming changes and are committed to complying with our obligations. In fact, we’re using it as an opportunity to review our processes and improve the level of transparency with our customers.”
At the moment, I’m happy to trust them to complete the process of becoming GDPR compliant. I will check back in due course.
b) I use IoS for Mail and Contacts.
I checked their GDPR status and found this statement on their blog:
“As part of our EU General Data Protection Regulation (GDPR) work, we are undertaking Privacy Impact Assessments (PIA) of our major products and services and integrating PIAs as we develop new products and services.”
Again, at the moment, I’m happy to trust Apple to complete the process of becoming GDPR compliant. I will check back in due course.
c) I use DropBox as cloud storage for customer records.
I checked their GDPR status and found this statement on their website:
“Dropbox will meet the requirements of the GDPR by May 25, 2018.”
These are my three core systems and they all assert that they will be GDPR compliant by May 25th, 2018.
2/ Confirm subscription to your email list
I researched Mailchimp as this is the email service that I use. It is already GDPR compliant and has a lot of useful resources on their blog.
a) Change list settings to allow the GDPR checklist to be added to the opt-in form.
b) Create a new segment, to act as a filter for people who choose to confirm their subscription.
d) Set up campaigns that include a link to confirm subscription.
e) I’ve decided to forward my newsletter to new clients, so they can see it and subscribe if they would like.
f) Update the subscription link on my website.
3/ Register with the Information Commissioner’s Office
The ICO also has a lot of helpful information guides to download.
There is a small annual fee.
4/ Write a Data Protection Policy
There are templates available on the web. These are a starting point and need to be reviewed and adapted.
5/ Add your Data Protection Policy to your website
Best practice is to have this as a link in the footer, so it can be seen on every page.
You can see my Data Protection Policy here. (It’s in the bottom left corner.)
6/ Obtain signatures for transparency and consent
a) Give clients a copy of your client-therapist agreement. Include a separate data protection policy.
b) Obtain a signature to show consent to both.
c) New Skype clients are directed to an online form instead. I have not yet set this up. When I do so, this will be via Typeform.* (Disclaimer: this is a referral link.)
7/ Implement regular data review
a) Client notes need to be kept for 7 years after the last appointment.
b) Set up a system to review notes regularly so that they are not kept for longer than needed.
c) Destroy notes securely.
8/ Implement stringent security
The majority of data breaches happen due to lost, stolen or weak passwords.
This is something that we all need to be vigilant about.
a) Have a secure password that includes upper and lower case letters plus numbers. Change it monthly.
b) Review computer security settings. Ensure it is set to automatically log out after a short period of inactivity.
c)) Review mobile phone security. Ensure you have a secure passcode.
d) Keep software regularly updated.
Out-sourcing can help
This is the list of everything I have done so far to ensure that Homeopathy with Tracy is GDPR compliant. (I am repeating the process for Your Radiant Business). There may be a few more things that I haven’t thought of yet. If I find that to be the case, I will update this blog post accordingly.
I mentioned in a previous post that we should all be out-sourcing tasks that are outside of our personal skill-set. I have been very glad to have had a lot of help with my GDPR from my wonderful Admin Assistant Aneeta. She is a Data Protection Officer in her other work, and she’s been instrumental in nudging me through each new step.
I’ve asked her whether she would be willing to help other homeopaths with their GDPR, and she said yes. If you’d like me to put you in touch, please email me: firstname.lastname@example.org
I hope you’ve found this helpful. There is a lot to think about initially but most of it is just common sense.
* The links to Get Timely and Typeform are ‘referral links’ which means that if you choose to go ahead and use them, I receive a small discount on my own subscription.
DISCLAIMER: This is intended to be a general guide. It is important to remember that you, as the business owner and the data controller, have specific legal obligations under the GDPR. You should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR, and are well prepared to meet them. Remember, however, that no provider can offer to “solve” GDPR compliance for you.