GDPR comes into effect next month. Here’s all you need to know…

Business owners across the EU are scrambling to ensure they’re compliant with the new General Data Protection Regulation (GDPR) before it comes into effect on 25th May. As a dentist, you may not primarily identify as a business owner, but if you own your practice then you’re on the hook – so make sure you’re paying attention.

Here at Milkshake, we make it our business to help you with all things marketing, and that includes ensuring your communications practices are compliant.* So, we put together a FAQ of sorts, to help answer some questions you might have about the new requirements:

How far in advance should a practice be sending out consent campaigns?

Ideally now. It is never too early to start to gain consent and you should be doing this both internally, when patients attend for appointments, and via a specific consent campaign.

Must the marketing and communication consent be a separate form to medical history?

The marketing consent simply needs to be clearly specified as such, so that patients understand what they are consenting to, without ambiguity. This can be included all on one form, so long as it is clear and the consent can be clearly evidenced.

What's your view on practice newsletters? Would these require marketing consent for GDPR?

The dissemination of all marketing communication requires consent, regardless of whether it is distributed by traditional or electronic means.

We have a personal details form that patients complete yearly. One of the questions is, “Do you consent to receiving updates via sms messages yes/ no; emails yes/no?” Is this enough, or do we have to specify exactly what we would message them or email about?

GDPR states: When relying on consent, your method of obtaining it should:

  • be displayed clearly and prominently;
  • ask individuals to positively opt-in, in line with good practice; and
  • give them sufficient information to make a choice.

If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid. In addition, if you are processing information for a range of purposes you should:

  • explain the different ways you will use their information; and
  • provide a clear and simple way for them to indicate they agree to different types of processing.

In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another. Good practice would be to list the different purposes with separate un-ticked opt-in boxes for each, or Yes/No buttons of equal size and prominence.

Dentists providing NHS care will be regarded as public authorities. I read that, under GDPR, all public authorities will require a Data Protection Officer no matter their size. Is that correct?

The role of a Data Protection Officer is defined in GDPR as being ‘the source of expert knowledge, training, advice and guidance on data protection, and to monitor the controller’s compliance with the GDPR and be the point of contact with the ICO.’ A Data Protection Officer does not necessarily have to be an employee of the practice.

GDPR requires the appointment of a Data Protection Officer if an organisation is a public authority or a ‘large scale’ processor of personal data.

Current guidance as to what constitutes large scale processing is unhelpful – it indicates that an individual doctor would not be a large-scale processor, but a hospital would be. So, a dental practice with 2,000 patients on their list will not be required to have a Data Protection Officer, but one with 10,000 patients on their list might be. Unfortunately, there is no clear guidance as to where the line falls. Therefore, it is reasonable that a small dental practice may legitimately consider that it does not require a DPO, whereas larger multiple location or corporate dental practices are likely to need one.

To complicate matters further, dentists providing NHS services are regarded as public authorities, so even a small NHS practice will require a DPO.

Clear as mud?

Unfortunately, GDPR does leave some ambiguities that can lead to anxiety of falling on the wrong side of ‘best practice’. If you want to be sure to get it right, the best solution is to put us in charge of your marketing. We’ll always ensure your website and communications are compliant – as well as being effective!

Any questions, or want to hear more about how we can help? Get in touch today!