Suffice to say, the General Data Protection Regulation (GDPR) continues to be equally as prevalent and talked about despite taking effect almost two years ago.
Does GDPR apply to veterinary practices?
The short answer is that it most likely does! If your normal day-to-day working activities within your veterinary practice involves storing or using information relating to named individuals, which could include customers (past or present), employees, suppliers or other named individuals within your veterinary network – then GDPR is relevant.
What should I be doing?
There is no easy or short way to answer this question. But here are seven simple steps you can follow when working towards GDPR compliance:
You must be able to demonstrate that consent has been freely given and is specific, informed and unambiguous. It must be given on an “opt-in” basis. You may need to update existing consents now if they do not comply. If you are positing photos of a customer’s pet on your website or social media channels, we strongly recommend obtaining the customer’s consent prior to posting.
In addition to the current information you are required to give when you collect personal data, you will also need to set out your legal basis for data processing and your data retention periods, as well as advising individuals that in addition to other rights, they have a right to complain to the Information Commissioners Office (ICO). This information must be communicated clearly and concisely. Typically, you will find this on your practice website.
Holding and processing data
Under the GDPR you are required to maintain records of your processing activities. You may need to carry out an information audit to ascertain what information you hold, where it came from, what you do with it and who you share it with.
Also, individuals and organisations that process personal data need to pay a data protection fee to the ICO, unless they are exempt. ICO has a useful tool to see if you or your organisation needs to pay a data protection fee.
Data protection officer (DPO)
Consider the appointment of a DPO. Identifying an individual who has responsibility for GDPR compliance can be helpful for implementing new policies and practices, monitoring compliance and reporting data breaches quickly and efficiently.
Use your practice team’s operational knowledge to assess what data you hold and how that data flows within (and outside) your organisation.
Rights of individuals
Individuals will have greater rights in relation to their data under the GDPR, including rights of access and data portability, to have inaccuracies corrected, to have information erased, to prevent direct marketing and to prevent automated decision-making and profiling. Remember, the breach of data subjects’ rights attracts large fines – up to €20 million or 4 percent of total worldwide annual turnover (whichever is higher).
Mistakes happen, but you need to make sure you have procedures in place to detect, report and investigate a personal data breach. The GDPR will require you to notify the ICO of certain types of data breach and, in serious cases, the individual affected.
It is important to note that a controller or processor’s ability to present evidence to ICO of its efforts to comply with the requirements of the GDPR may help reduce liability under GDPR.
If a controller or processor demonstrates, for example, that it did not act intentionally in breaching the GDPR and that it effectively implemented organisational and technical measures which were appropriate to the risk, the ICO may take this into account in deciding whether to impose a fine, or it may reduce the fine imposed.
GDPR is concerned with respecting the rights of individuals when their personal information is being processed. Remember, GDPR requires a controller to demonstrate that data processing activities comply with the GDPR’s requirements. Meeting this requirement means doing more than just establishing data protection policies and procedures. Accountability requires a controller to be able to demonstrate compliance with the GDPR by showing, on an ongoing basis, evidence of your practice processes complying with GDPR, implementing policies into the practice activities and having effective internal compliance measures and external controls.