The EU General Data Protection Regulation (GDPR) came into effect on the 25th of May and brought with it additional and enhanced considerations for the dental profession in the protection of personal data.
The GDPR is the biggest overhaul of data protection law in 20 years. All dental professionals must show compliance to GDPR and you are likely to have already received questions about your approach to GDPR from you patients and/or their family. Ignorance of the law will be no defence and the penalties for no compliance are severe.
Regardless of the size of your dental practise the GDPR will have a direct impact on your practice.
Why should dental practices take GDPR seriously?
Power Given to Data Subjects
It is known within the legal and regulatory community that data although the regulatory bodies will carry out inspections of organisations randomly after GDPR comes into effect, most of their regulatory investigations will stem from complaints made directly by data subjects.
The regulatory bodies have also said that they are aware and have invested in educating the general public of their rights to data protection under GDPR (through advertisements on radio, TV, newspapers etc.) which in return will see a wave of data subjects contacting organisations to push for their rights under GDPR.
So, in essence we will see a move towards data subjects requesting and testing organisations compliance efforts to GDPR which, if handled inadequately, can lead to civil and regulatory investigations. This could also result in dental firms losing their practice license or reputation within their community which would be devastating for the survival of the practice.
Under the GDPR, the scope and nature of administrative fines which regulatory bodies such as the UK’s ICO can impose on non-compliant organisations has significantly increased. Such fines may be up to €20 million or 4% of total worldwide annual turnover (whichever is greater) of the undertaking for breaches of GDPR.
Reduced Time-frame to respond to Data Breach
The GDPR provides specific breach notification rules. You must notify a breach to the relevant supervisory authority within 72 hours of you becoming aware of it. It is recognised that you may have to provide information in phases as your investigation takes place. If serious you may need to notify patients, and if so you must do so without delay. Failure to notify a breach can result in a hefty fine per the GDPR.
Privacy Impact Assessment
Privacy Impact Assessments (PIAs) help practices to identify the most effective way to comply with the obligations of the GDPR. The assessment sets out the options for addressing each identified risk and whether the options for addressing the result in the risk being eliminated, reduced, or accepted.
Heightened Data Subject Rights
There are a number of data subjects’ rights which can limit an organisation’s ability to lawfully process personal data, for example, the right to be forgotte, the right of access and the right to restrict processing. This means that dental practises need to update and create internal policies and procedures in order to show how the about data subjects rights can be carried out within the practices’ everyday operations.
An important aspect of the GDPR is the requirement to offer people choice and control over how their data is used. For clinical records there is a legal basis for processing special data. But if you are sending out email newsletters for example, you will need to consider the consent requirements, which include:
- There are details about the different ways data will be used and the ability to choose between them e.g. email newsletters and/or printed newsletters
- The consent statement must be clear and specific, and the indication to give consent must be unambiguous
- Tick boxes must never be pre-ticked, this is called ‘positive opt-in’
- Consent mist be easy to withdraw with a clear way to withdraw it at any time
- Evidence of consent is kept, including who, when, how, and what you told people
- Consent process is kept under review, and refreshed if anything changes
Sensitive and Personal Data
The Sensitive Personal Data subject must give “explicit consent” to the processing of such data, which may prove difficult in the case of children or vulnerable patients.
GDPR states that organisations who deal with such sensitive personal data will need to appoint a Data Protection Officer (DPO).
Thus, given the nature of dental practices business there is the added complication to comply with both the requirements of sensitive and personal data that they control and/or process, which requires detailed administrative attention.
Author: Sana Khan, Lawyer and Co-Founder of Supportica www.supportica.ie