Dubbed by the Information Commissioner as “the biggest change to data protection law for a generation”, the General Data Protection Regulation (GDPR) is set to revolutionise the way we all hold and process personal data. The GDPR is an EU regulation which aims to strengthen current provisions under the Data Protection Act and give us control back over the use of our personal data.
New obligations, greater accountability and heftier fines mean businesses, including veterinary practices, should be taking steps now to make sure they will be able to comply with the GDPR when it comes into force on 25th May 2018.
How will this affect me and my practice?
Your practice will most likely hold personal data relating to both your customers and your employees, which all need to be collected, held, processed and protected in compliance with the GDPR. While the GDPR brings with it improved protection for your customers’ and employees’ data rights, you will be placed under greater burdens as a holder of personal data, with serious non-compliance bringing potential fines of up to the greater €20,000,000.
Your first steps in ensuring you are complaint are mapping the flow of your data and undertaking a GDPR audit
What key things do I need to consider as part of my practice’s GDPR strategy?
How do you collect your customers’ data? How do you communicate with your customers? Do you have the right consents from your customers?
These are just some of the questions you need to be asking yourself when thinking about the GDPR in relation to your customers’ data. The regulations place much greater obligations on you to ensure that you communicate in a clear, transparent way with your customers and obtain the correct consents from them or, if you don’t have explicit consent, to show that you have a lawful basis for how you use their data.
If you are sending emails to your customers to arrange appointments, provide treatment reminders or market a new brand of worming drugs, you will need to make sure you have already obtained the right consents to do this. Any consent you obtain needs to be granular and done via positive opt-in consent, so catch-all opt-out tick boxes are no longer an option!
How is the data you collect stored? Do you have a practice management system? Do you outsource to any third parties? How is your customer and employee data protected? Again, a whole host of issues are introduced when thinking about storage, processing and protection of any personal data and any third parties who have access to that data. Your first steps in ensuring you are complaint are mapping the flow of your data and undertaking a GDPR audit. This will allow you to identify what happens to the personal data, from the point of collection to its erasure and how you can ensure it is adequately protected.
Prevention is better than cure!
Every veterinary practice, whether using CRM systems or just booking appointments over the phone, will be holding or processing personal data at some point. With the regulations only four months away, you need to be thinking now about how you can ensure that your practice’s contracts, policies and procedures surrounding personal data are compliant with the new legislation.