What is GDPR?
GDPR is the General Data Protection Regulations, a set of rights and obligations around data protection that provide more rights for individuals to control the data that is held about them, and more responsibilities for data controllers to manage data in a responsible way. The GDPR regulations were published in May 2016 and come in law on May 25th 2018.
This blog summarises the regulations, and should be used only as a general guide. We would advise all data users to seek suitable legal advice in order to understand their own situation, and ensure that they adhere to all relevant regulation.
What are the key principles?
The key points of the new framework are:
– Personal data must be processed fairly and lawfully, kept securely, and stored for no longer than necessary
– This data must be collected and processed for a specific, legitimate purpose, and the data must be relevant to that purpose
– The data must be accurate and kept up to date, and individuals have the right for their data to be erased
How does this differ to existing data protection regulations?
GDPR replaces the existing European framework for data protection laws, which was established in 1995. GDPR harmonises data privacy laws across Europe.
Will Brexit affect GDPR?
The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. Brexit will have no impact on this.
Why does it affect dentistry?
Any company in Europe that stores data that can personally identify individuals will be subject to the GDPR principles. Most dental practices are in a good position to deal with the requirements of GDPR; dentistry is already a highly regulated profession, and many practices already have strong data protection procedures in place.
You’ll find that companies who hold your data, such as your dental consumables supplier, will be contacted you to ask for your consent to be sent marketing information.
What rights will consumers now have?
Consumers will have much more control over how their data is stored and used. Individuals will have the right to be informed about the collection and use of their data in detail at the time they provide that data. They will have the right to obtain confirmation that their data is being processed, and have access to that data free of charge. If their data is inaccurate, it must be rectified within one month of the request. Individuals will have the right to have their personal data erased, and can also restrict or suppress their data. Individuals can object to direct marketing, profiling, processing of their data for research and statistics, and any automated decision making based on their data.
So we will all have far more control over how our data is used and stored. Many of these changes are to bring data protection legislation in line with our modern, digitally connected world.
Can I still send marketing to my own patients? Are recalls covered by GDPR?
It is likely that recalls would be considered a legitimate use of a patient’s data, and therefore you will not need to obtain explicit consent for this. However we would advise taking legal advice to confirm this.
If you want to send marketing information to patients, either by email or otherwise, you will need to gain explicit consent for this under GDPR. This could mean asking the patient to sign a form saying “I’m happy to be sent marketing from my dentist by post”. Note that you need to ask for consent for every type of marketing contact that you plan to use – print material in the post, email, phone calls etc. You will need to keep a record as to when consent was received, and also provide a method by which patients can alter their permission or opt out.
If you don’t have consent, you can’t contact that patient with marketing information.
What is the NHS response?
Part of the national NHS response is to introduce the “National Data Opt-Out”. This will give patients more control over their identifiable health data. More information is available from the NHS website.
Where I can I find out more?
We hope this has been a useful introduction to GDPR within dentistry. We would strongly advise finding out more. The ICO are responsible for enforcing GDPR in the UK, and extensive information is available from their website. The BDA have also published extensive information on GDPR within dentistry and have a useful CPD course on GDPR available.