Easy speak GDPR summary and solutions below for health and wellbeing practitioners
Don’t freak out about GDPR, it’s actually quite simple! We are not experts on this subject, this is simply The Webmistress take on all of these GRPD changes.
I can’t include EVERYTHING in the list below, please read this checklist from the ICO and adhere to it. There is another checklist here (a more recent blog post) you might want to look at.
As a wellbeing practitioner you need to be exceptionally careful AND MOST IMPORTANTLY, TRANSPARENT, about the information you hold about a client:
- You must have permission to hold client’s personal information (read the CONSENT section of this pdf) and you must record when and how you got consent, and exactly what it covers
- You must tell client’s how you are going to use their information and specify methods of communication (e.g. by email, newsletter, text, phone, call, recorded call, post)
- On a signup/contact form on your website, depending on how you are managing other signups (e.g newsletter signups), there might not need to be an opt-in tick box. However, you do need to offer information about their data use (point 2 above) and instructions about how they can opt-out. Please read the next post about GDP opt-in advice
- If you previously have added people to a mailing list, WITH WHOM you have done ‘business’, you do not need to ask them to opt-in now. Please read the next post about GDP opt-in advice, though if you read number 1 above, you will see need to get consent to hold their info (if you have not previously done so)
- If you have not had an OPT-IN in place previously, and you have not “done any business with an individual”, you must delete their names from your mailing list and you CANNOT EMAIL THEM TO request they opt-in. However you might want to send an email to all your contacts updating them with relevant info
- You must tell them how long you will hold their data for (there are no rules about how long, so go with “as long as needed” and expand on what that might mean to you). Check with your governing body and insurance company about how long they required you to hold records
- You must store their details safely/securely – this means your phone and your computer should be password protected, keep your antivirus software up to date etc. And for paper records, you need a fireproof safe (EXAMPLE here). You might not need a fireproof safe, I’ve also heard that just something steel and lockable is ok. See the end of this article about reporting a data breach
- Make sure there is an easy/accessible way for your clients to update their info, request what information you hold on them, request their information to be deleted or make a complaint
- Register with the ICO (it’s only around £30 a year) and keep up to date with the law. The “Data Protection Act requires all businesses to register with the ICO”. Take the test to see if your business needs to register…I’m sure you’ll find the answer to be YES
If you think I’ve missed anything of this list, please let me know.
Continue reading to find out what you need to put into action…
ACTION STEPS: here are just a few solutions for part of the above list
Just to reiterate, we not experts on this subject, this is simply The Webmistress take on all of these GRPD changes and what you can do at adhere to the law.
- Get information from your governing/registered body. For me as a massage practitioner, it’s the Massage Training Institute and the The Complementary and Natural Healthcare Council (CNHC)
- Create a form on your website that will allow people to update their information, request it be deleted etc. Here is an example form
- On your email signature, add some words to your about your GDPR policy and a link to above mention form
- Create a type of consent form (containing information from the first list on this page, e.g. how you are going to use their date), add a link to the form mentioned above (no.2 in this list) and hand it to your clients at their first visit, which should be signed by them. Better yet, get a form on your website to handle that so you don’t have to shuffle this paper
- Use something like MailChimp to handle your mailing list updates
- Send your clients and email about all this GDPR stuff and let them know all the relevant information, including a link to the form (no.2 and no.4 in this list)
- Add some information to the contact page on your site about what you will do with their information should they fill the contact form in
- Consent guidance
- ICO GDPR: 12 steps to take now
- Checklist from the ICO and adhere to it
- Advice Service (0303 123 1113)
- Live Chat
What is GDPR?
GDPR, or General Data Protection Regulation to give it it’s full name, is a European-wide overhaul of the Data Protection laws originally created in the 90s. Since these laws were created, quite a bit has changed with how companies handle and protect customer data. The changes from May 2018, are designed to bring the laws up to date.
The new regulations will apply to all European businesses, including the UK, from May the 25th 2018. Our decision to leave the European Union won’t affect if this applies or not.
The GDPR isn’t a huge change from the previous Data Protection Laws currently in place, more of an update to make them more suitable for how much data businesses have on their customers and employees.
Does the GDPR affect me?
If you handle any customer or employee information, then yes. Any records you keep which may be considered ‘personal information’ or ‘sensitive information’ such as client histories, treatments or conditions are covered. Personal information includes anything which may be used to identify a person. For example; names and addresses are obvious examples, but there are less obvious ones such as IP addresses; a number which identifies the computer which accessed your website and will be stored by your website in logs.
Sensitive information includes information such as the physical and mental health, ethnic origins, sexuality or religious beliefs.
Even if you anonymise data, you may still be subject to the GDPR, depending on how it is to decode it back to the individual. I.e. anonymising by using initials may make it easy for someone to identify people if they know the circles of people you work with.
What does the GDPR require me to do?
Article 5 of the GDPR outlines a series of requirements for how you should handle an individual’s data. To be compliant with the legislation, you must be:
- Collecting it lawfully, fairly and transparently.
- Collecting it for a specific, explicit and legitimate purpose. You must be declaring why you are collecting it, and you can’t use it for a purpose you haven’t set out originally.
- Adequate, relevant and limited to what is necessary for that purpose. You can’t just collect information “just in case”, there has to be a purpose for it.
- Accurate and kept up to date. You need to be taking steps to ensure this data is kept up to date so it is being used properly. Inaccuracies must be identified and corrected quickly.
- Stored in a way which allows the identification of the user for no longer than necessary. The longer you store something which would identify an individual increases the risk of that data being accidentally released.
- Processes in a manner which ensures appropriate security and safety of the data. This includes preventing it being processes/accessed by someone without permission, or it being damaged or lost.
These requirements have direct consequences on most small business.
Have a think about how you handle your client notes
- Are they stored somewhere safe where no one else can access them? If you store them on a computer, is your antivirus software up to date to prevent those documents being taken by a hacker?
- When was the last time you destroy old notes for client you haven’t seen for 5 years?
- Did you tell your customers what you’d do with their data when you collected it through your website?
The GDPR and Data Protection Acts mean it is your responsibility as the Data Controller to follow this legislation and ensure any data collected is appropriate, used correctly and protected.
Do you need help with implementing GDPR into your business and website?
What is a Lawful Basis for Processing?
To collect data about individuals, you must have a ‘lawful basis for processing’.
There are 6 lawful bases and at least one of them must apply.
Critically, when you are collecting data, you must make it clear which of these bases you are applying to collect it, and stick with it. For example, one of the basis is consent. This means that you have the individual’s consent to process their data. If they later withdraw their consent, you cannot continue to use it, or swap to a different basis to continue using it.
The legal basis are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This basis is quite complicated and you should read up further if you wanted to use it.
For most businesses, data is collected under a Consent or Contract legal basis.
More info: ico.org.uk – Lawful basis for processing
What are the individual Rights
The right to be informed
This requires you to be clear with the individuals about the data you are capturing, how you are looking after the data and what you intend to do with it. This may mean you need some information on your website about the detail you capture when clients book sessions, or fill in a form asking for your services.
More info: ico.org.uk – Right To Be Informed
The right of access
Individuals have the right to see what data you hold on them. GDPR requires this to be free to access, unless the request could be considered excessive, repetitive or vexatious but should only give the administrative costs for obtaining the information.
More info: ico.org.uk – Right Of Access
The right to rectification
If there is an error in the data you have collected, individuals have a right to have it corrected. Also, you must ensure that the data is corrected if it has been passed onto any other 3rd parties for further processing.
More info: ico.org.uk – Right To Rectification
The right to erasure
Also known as the right to be forgotten, this right means individuals have the right to ask for their data to be deleted which much be actioned unless there is no compelling reason to retain it. This right isn’t 100% straight forward as the request must match a number of specific subsequences. The more obvious circumstances are there the individual has withdrawn consent for you to use it (data used in a survey or study for example) or where the data is no longer necessary for the purpose it was collected for (information about a massage client who doesn’t intend to return).
There are also conditions when you can refused to erase data.
More info: ico.org.uk – Right To Erasure
The right to restrict processing
This right means that individuals can block the further processing of their data. “Processing” covers collecting, storing, using, transforming or really doing anything with the data. If a user requests that their data shouldn’t be processed, it can still be securely retained. If it has been discovered that some of the data you hold is incorrect, it should also be restricting from further processing until this is corrected to prevent any unanticipated impact of that processing.
More info: ico.org.uk – Right to restrict processing
The right to data portability
An individual can ask for copies of their data, and you must supply it to them in a “structured, commonly used and machine readable form”. This means that it’s provided in a format like a CSV (a comma separated text file) which can be easily imported into an application and used.
This right ONLY applies if the data was “processed” (so, collected, for example) in an automated way. For example, if your customers contact you via a form online through your website, this right would apply. If you collected all their data by hand, it would not.
The right to object
This right means that individuals can object, and therefore prevent their data being processed in certain ways. Examples are their data being used for direct marketing (sending emails, telephone calls, letters and flyers) or for research of historical statistics.
This means you need to be clear about how you are using their data, and giving them the opportunity to say “no thanks”.
Rights in relation to automated decision making and profiling.
The GDPR also creates and improves individuals rights about how automated systems make decisions about them and the profiles they create. For example, how automated systems make decisions about an individual’s credit rating.
Have the right procedures in place to detect, report and investigate a personal data breach. Report a data breach to the ICO if “the reach is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
3 handy links
Do you need help with implementing GDPR into your business and website
Any ideas to add to the second list on this page?
Please comment below.