More than two years have passed since the General Data Protection Regulation (GDPR) came into force and we have already witnessed several ﬁnes and warnings to businesses with regards to data compliance. When using client reminder services (even those which are outsourced to third parties) here are some of the issues you should be considering.
My practice already sends out appointment reminders – can I do this and do I need individual client consent to do so?
Most practices operate, or will be thinking about operating, an automated appointment reminder service. How-ever, in order to do so, explicit consent must be obtained from your client before such reminders are sent. Any consent you do obtain needs to be freely given, speciﬁc and unambiguous and must be given by an afﬁrmative action, for example a positive “opt-in”, rather than a catch-all “opt-out” tick box. Records must always be kept of the consents that have been obtained.
If your practice uses third-party providers for these appointments, ensure that your privacy notice notiﬁes your clients of these services and also check whether such third-party providers have similar GDPR standards to your own.
If my practice has already obtained consent to send out appointment reminders, how long will this consent last and how often should I ask clients to refresh that consent?
Under the GDPR, you are not required to refresh all consents received, providing these ﬁt the requirements for the GDPR, ie that consent is speciﬁc, clear and properly documented and has been freely given on an “opt-in” basis.
If any consents do not comply with the above, or you have not heard from the individual client for some time, you should consider refreshing consent.
All communications and correspondence regarding appointment reminders should contain an option for your client to “opt-out” or at least information on how your client can “opt-out”.
What happens if a client does not wish to be contacted or reminded of their appointments?
Firstly, your practice’s privacy notice must be clear, concise, transparent and easily accessible to your clients. This document will contain all the information your client needs to see how your practice handles, processes and stores personal data.
Equally as important is giving your client the option to freely withdraw their consent to receiving appointment reminders. As a practice, you should also be keeping all consents under review and refreshing this consent if anything changes.
Are there different rules if I send leaﬂets in the post, or text messages and/or emails?
Yes. In this instance prior speciﬁc consent must have been obtained from your client in order to direct market via these forums. If you do not have such consent to contact your clients directly, you should ask your clients to “opt-in” the next time they visit the practice, or by them signing and returning a letter conﬁrming the same. You should be wary of emailing your clients asking for this consent, because this in itself could constitute direct email marketing and could therefore breach the GDPR.
Again, you should keep records of all client consent, including the date on which it was given and the content that the consent covers.
What are the three key points that practices should be aware of?
- If you are sending appointment reminders, make sure you have your client’s consent to do so. If you already have their consent, consider when this was given and whether updated consent is needed
- Review your privacy notice and other client communications to ensure that your client easily understands how to give or how to revoke their consent to receiving appointment reminders
- Keep accurate records of all client consents received, recording the date such consent was given and the content of that consent