Latest News and Updates
The forthcoming GDPR carries heavy penalties for breaches in the handling of personal data within the EU (including the UK post Brexit). The Advocacy Partnership’s team share their thoughts and have some handy tips for you.
The General Data Protection Regulation(GDPR) comes into law on 25 May 2018, replacing the Data Protection Directive 95/46/EC.
Anyone who controls data and/or undertakes data processing including client/patients names, identifying information or mailing lists, place you in the firing line. Sending that mail-out to the contacts in your client database will be much more onerous and risky under GDPR.
For the healthcare professional GDPR covers all data relating to the physical or mental health of an individual including the provision of health care services which reveal information about his or her health status.
Post-Brexit non-compliance isn’t an option as the GDPR requirements will continue to apply.
GDPR at a glance
- Personal data definition – directly or indirectly identifiable personal information and specific requirements relating to “sensitive personal data” such as:
- contact details,
- dates of birth
- racial or ethnic origin, religious or philosophical beliefs,
- political opinions, trade union membership,
- genetic data, biometric data,
- a person’s sex life or sexual orientation
This broad definition includes data both within and beyond the scope of HIPAA.
Personal IP addresses are treated as personal data under GDPR – but you may not even be aware that your software, and your service providers, are recording these on your behalf.
- Consent requirements – Consent must be freely given and will need to be on an opt-in basis with clear affirmative action required. Opt-out will no longer constitute sufficient Consent. The Consent process needs to be clearly documented and verifiable.
You will also need to have separate permissions for different marketing materials.
- Repermissioning campaigns –if you’re not already operating an opt-in approach you’ll have to run an entire repermissioning campaign with all people in your database.
- Rights of individuals – a new right relating to data portability is included under GDPR.
- Definition of responsible parties – There are both Controllers and Processors of data. In some cases, Processors may have greater obligations under their processing contract.
- Reporting obligations in case of a breach – you must notify supervisory authorities and affected individuals of a data breach within 72 hours of discovery under GDPR.
- Penalties for non-compliance or breaches – There is a tiered approach to penalties, 2% of annual turnover and €10Mn, the higher end it’s 4% of annual worldwide turnover and €20 Mn.
Why you need professional help in dealing with GDPR
The above probably has you thinking “Where do I start, what can I do?”.
With only 9 months left until GDPR comes into force the time to act is now.
Addressing GDPR, like most other regulations we’ve seen around the world, is best tackled as early as possible to ensure that you are compliant from day one. Simply ignoring the state of your data, mailing campaigns, contact records, and personal identifiable information is no defence for GDPR breaches. The consequences of not complying is quite literally potentially irreparable damage to your reputation, brand, and even your clients.
Preparing for the GDPR can be slow and painful, but with careful and early planning and preparation, coupled with the right advice and assistance, you can be GDPR ready well ahead of the May 2018 deadline.
Conducting an audit and assessment of your current state, a PIA to determine current personal data held and how it’s stored, handled, updated, and protected, is an important first step and provides the foundations for implementing the workflows and assurance needed to protect you, your clients and patients.
Reviewing and modifying your processes for collecting contacts, managing them, and communicating with them, as well as the work involved in repermissioning, can all be done efficiently and comprehensively if you act early to get the right help.
It’s also the perfect time for reviewing your digital strategy, setting out your communications plan, and reviewing your cyber security arrangements to protect you from hacking, unexpected data theft loss, and information misuse.
That’s where we come in.
Avoid the last-minute rush - research indicates as many as 80% of organisations remain unprepared for GDPR, don’t be one of them.
Contact The Advocacy Partnership today to find out more about GDPR, we can help advise you on the prevailing requirements applicable to your healthcare and wellness business.