10 minute read.
GDPR is coming! Are you prepared? In this blog, I’ve tried to summarise the position relating to ‘marketing for dentists’.
GDPR is the General Data Protection Regulations (officially (EU) 2016/679). Whilst it may have new aspects it is not really new, it’s just an evolution of current European rules on data privacy and protection and aims to strengthen individuals’ rights regarding the collection, use and storage of their personal data. The penalty for ‘non-compliance’ can be up to 4% of turnover.
Any data that can be used to identify a living person directly or indirectly is classed as personal data. eg Name, Address, Email address, NHS number, Location data, IP address (computer details used to access your website)
As the name implies this is a special class of data and includes Race, Health Status (ie oral health, dental records, treatments etc), Marital status etc.
In essence your patients need to be assured you only store the data you need, you keep it secure and safe, you allow the patient to view it if they want, and if there are any errors, you will make any alterations the patient informs you about, and if they want the data ‘deleted’ you can activate this.
This blog doesn’t propose to cover items 1, 2, 4 or 5 above, and we’d recommend you speak to your Defence Union, IT suppliers, Practice Management Software suppliers etc to get more detailed advice on these matters. But, at the bottom of the page, there are a number of links you may find useful.
No matter how small you are you have to securely collect, store and use personal information. Whilst, ‘article 30’ of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR if you use the data regularly (ie practice management software), or have a ‘data breach’, GDPR will certainly apply to you, and therefore the potential fines!
Many dentists feel that as ‘medical practitioners’ the rules don’t apply to them. Certainly, under point 4 above, you have a legal basis for collecting and storing data about your patients. But, you will still have to comply with data security etc, and, whilst you’re obviously entitled to email patients about ‘appointments’, if you’re deemed to be ‘marketing’ you will need to have received ‘permission’.
Okay, so with all the official info’ out of the way, and now that we’ve established that GDPR does apply to you, let’s talk about how to make sure your website is compliant:-
GDPR is very hot on the subject of direct marketing and it is clear that you must have received explicit consent from a person before you can email them.
As dentists you no doubt have collected over the years many many emails from your patients, and you would imagine that it’s ok for you to send recalls and reminders, but, to date, I’ve seen nothing in writing that confirms this. However, it is written that before you can market to anyone (so informing patients about a special offer, or new treatments available etc) you must have garnered ‘explicit consent’, so even if the tick box on your website’s form is set as ‘agree’ by default, this would count as a ‘violation’!
There are other implications too – if you wish to buy a mailing list, say from a local newspaper, you would be sending emails illegally to the recipients since no one explicitly asked to receive emails from you.
So, to my mind, best practice would be for you to email to every patient and ex-patient whose address you have, requesting them to ‘opt in’ to receive emails from you. You need to:-
So to sum up, GDPR compliance shouldn’t be too complicated for a small practice, but everyone needs to be thinking and acting to ensure they do not run the risk of falling foul to the changes.
What does GDPR mean to me and my small business
Problems with Medical Practice Management Databases in the UK
Preparing for the General Data Protection Regulation (GDPR)
GDPR COnsent Guidance