Chris Moffatt explains what GDPR is and what you have to do to stay compliant.
What is GDPR?
GDPR is the General Data Protection Regulations, a set of rights and obligations around data protection that provide more rights for individuals to control the data that is held about them, and more responsibilities for data controllers to manage data in a responsible way. The GDPR regulations were published in May 2016 and became law on 25 May 2018.
This article summarises the regulations, and should be used only as a general guide. We would advise all data users to seek suitable legal advice in order to understand their own situation and ensure that they adhere to all relevant regulation.
What are the key principles?
The key points of the GDPR framework are:
- Personal data must be processed fairly and lawfully, kept securely, and stored for no longer than necessary
- This data must be collected and processed for a specific, legitimate purpose, and the data must be relevant to that purpose
- The data must be accurate and kept up to date, and individuals have the right for their data to be erased.
How does this differ from previous data protection regulations?
GDPR has replaced the old European framework for data protection law, which was established in 1995. GDPR has harmonised data privacy laws across Europe.
Will Brexit affect GDPR?
The UK is implementing a new Data Protection Bill, which largely includes all the provisions of the GDPR. Brexit will have no impact on this.
Why does it affect dentistry?
Any company in Europe that stores data and can personally identify individuals is subject to the GDPR principles. Most dental practices are in a good position to deal with the requirements of GDPR; dentistry is already a highly-regulated profession, and many practices already have strong data protection procedures in place.
Companies who hold your data, such as your dental consumables supplier, will likely have contacted you recently to ask for your consent to be sent marketing information, and explain your new rights.
What rights do consumers now have?
Consumers now have much more control over how their data is stored and used. Individuals have the right to be informed about the collection and use of their data in detail at the time they provide that data. They have the right to obtain confirmation that their data is being processed, and have access to that data free of charge. If their data is inaccurate, it must be rectified within one month of the request. Individuals have the right to have their personal data erased, and can also restrict or suppress their data. Individuals can object to direct marketing, profiling, processing of their data for research and statistics, and any automated decision making based on their data.
So we all have far more control over how our data is used and stored. Many of these changes were to bring data protection legislation in line with our modern, digitally connected world.
Can I still send marketing to my own patients? Are recalls covered by GDPR?
It is likely that recalls would be considered a legitimate use of a patient’s data, and therefore you will not need to obtain explicit consent for this. However we would advise taking legal advice to confirm this.
If you want to send marketing information to patients, either by email or otherwise, you will need to gain explicit consent for this under GDPR. This could mean asking the patient to sign a form saying ‘I’m happy to be sent marketing from my dentist by post’. Note that you need to ask for consent for every type of marketing contact that you plan to use – print material in the post, email, phone calls etc. You will need to keep a record as to when consent was received, and also provide a method by which patients can alter their permission or opt out.
If you don’t have consent, you can’t contact that patient with marketing information.
What was the NHS response?
Part of the national NHS response has been to introduce the ‘National Data Opt-Out’. This gives patients more control over their identifiable health data. More information is available from the NHS website.
Where I can I find out more?
We hope this has been a useful introduction to GDPR within dentistry. We would strongly advise finding out more. The ICO is responsible for enforcing GDPR in the UK, and extensive information is available from its website. The BDA has also published extensive information on GDPR within dentistry and has a useful CPD course on GDPR available.
Follow Kent Express on Twitter.
Follow Kent Express on Facebook.