General Data Protection Regulation (GDPR)

With the General Data Protection Regulation (GDPR) due to come into effect in May 2018 we thought we’d take a look at how it can effect you and how iCLINICIAN can help your business to be GDPR compliant.

The Information Commissioner’s Office, the independent authority set up to uphold information rights have produced a 12 step guide for businesses to help you make sure you are ready for GDPR.  There is also an online check sheet to help in the process.  In this article we’ll outline what it covers and how iCLINICIAN can help.

Step 1

1. Awareness – Making sure decision makers and key people in the business are aware of GDPR.
2. Accountability – This may include internal data protection policies, staff training, internal audits of processing activities and reviews of internal HR policies to minimise the risk of breaches and uphold the protection of personal data.  For businesses using iCLINICIAN Premium we are able to create different user account capabilities such as removing the ability for certain staff to export records from iCLINICIAN to excel.
3. Information you hold – Businesses need to document what personal information they hold, where it came from and if they share it with any other organisations have a process in place for updating any inaccuracies in data you hold with them.
4. Data Protection by Design and Data Protection Impact Assessments – A DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons” so we believe this is not something we need to be concerned about in our industry.
5. Data Protection Officers – Most small business don’t need to formally designate a DPO.  They just need to have someone who takes proper responsibility for their data protection compliance and has the knowledge, support and authority to do so effectively.

Step 2 – Key Areas to Consider

1. Lawful basis for processing personal data – Businesses must explain their lawful basis for processing personal data in their privacy notice.  You should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.
2. Consent – ICO advice says that consent should not be a precondition of signing up to a service unless necessary for that service.  We would argue that for medical procedures, it is necessary.
3. Children – No relevant in the aesthetics industry.

Step 3: Individuals’ rights

1. Communicating privacy information – Businesses should review their current privacy notifications.  There is additional guidance on this on the ICO website.
2. Individuals’ rights – ICO provides guidance on the 8 rights.
   1. Right to be informed – emphasises the need for transparency over how businesses use personal data typically through their privacy notice.
   2. Right of access – Ability to provide individuals with their data if they request it.  iCLINICIAN already includes the ability to email consent forms to patients.
   3. Right to rectification – Patients can already have their information rectified by iCLINICIAN users during the personal data check during appointments.
   4. Right to erasure – Businesses need to delete an individual’s information if they request it.  You can refuse if you are complying with a legal obligation.  In the medical aesthetics industry we therefore understand this to mean that business would need to delete individuals who have not had a treatment but not those who have as their is a legal requirement to maintain a record of treatment.
   5. Right to restrict processing – Individuals have the right to block use of their personal data.  iCLINICIAN already allows you to uncheck Email and SMS reminders.
   6. Right of data portability – Allow individuals to reuse their data across different services.  iCLINICIAN already reuses data for each new treatment.
   7. Right to object – Businesses must deal with an objection to processing for direct marketing at any time and free of charge.
   8. Rights related to automated decision making including profiling – The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
3. Subject Access – Businesses must ensure that they have a plan in place to handling data requests from individuals.  In most cases you cannot charge and you have a month to provide the information.

Step 4 – Breach Notifications

Data Breaches – Have processes in place to reduce the risk of breaches, detect breaches and inform clients of breaches.

Step 5 – International Transfer of Data

This is unlikely to effect the majority of aesthetic business  If you are a larger multi-national business then you will need to comply with the regulations for transferring personal data outside of the EU.