GDPR – What’s That?

The General Data Protection Regulation (GDPR) is a new legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). … GDPR will come into effect across the EU on May 25, 2018.

The regulations replace the current Data Protection Directive

GDPR regulations will remain in effect after the UK’s exit from the EU

Please note, this article does not constitute legal advice. Please consult a Data Specialist or legal advisor for specific advice.

An Overview of GDPR

In practice, GDPR is not that different to the current Data Protection Directive. It will mean some extra work on our part but as more and more data is held electronically the new regulations are actually a really good thing!

As Hypnotherapists, we often hold some very private and sensitive information so all the information we hold really must be properly protected. Many of the points covered in GDPR are in fact part of the Code of Conduct required by the Professional Hypnotherapy Network and other professional organisations.

Typically for all new clients you take the following information:

Contact details
Date of birth
Next of kin
Medical history

From May 25th 2018, when GDPR comes into effect, your clients will have the right :

Access any of this information & all content that forms part of their notes and records. All information should be in such a form that your client is able to understand them without expert medical knowledge.

Clients must be informed if their personal information has been forwarded to a third-party (healthcare professional, Doctor, insurer or school, employer etc).

Any invalid information must be corrected. For example, if the client stated they were on a particular medication and got the name of that medication wrong, this must be corrected as soon as you are aware that the information is wrong. If you have passed this information on to any third parties, you must notify them and ensure that it is corrected in their records.

Clients will have the right to have their personal data deleted if they move to another hypnotherapist. In this case the client should demonstrate that you no longer need the information because you are no longer working with the client, or they can withdraw consent for you to hold their information.

You must be able to prove that you have deleted the data regardless of whether it is in electronic form or on paper. You must also inform any third-parties to which you sent that clients information that you have deleted the clients data.

Clients will have the right to prevent further use (or processing) of their information.

Clients can request that you send them or any new hypnotherapist, their personal information in an open electronic format e.g. a .csv file or text file.

Clients can request you to stop sending emails, marketing information, newsletters or making sales or marketing calls etc. You must obtain specific permission to send any mailings or make sales phone calls.

Clients have the right to ensure that any profiling that is undertaken using their personal information is fair, appropriate, statistically valid and transparent.

You are expected to take appropriate measures to protect all clients data and records

You must notify your client if ‘critical information’ about them has been inappropriately accessed. For example if your clients address, DOB, and any other personal information was accessed by an unauthorised person this would in all probability be deemed to be a ‘critical breach’ and your clients must be notified (along with the appropriate regulatory body).

Clients personal information must not be transferred outside of the EU.

Clients must be informed how you are using their personal information.

If you hold data or send newsletters via a provider based outside the EU, check that they are aware of GDPR and that you are able to demonstrate ‘due diligence’ for the protection of your data.

Prepare for GDPR

Do a thorough data process audit, how do you hold your data, how secure is it? How do you track who else is sent the data, how do they secure that data? Are there any areas where your data protection is weak? If you use a practice management system, are you happy that your provider is GDPR compliant?

How do you log when data is sent to a third party?

Consider what client data you really need. Are you holding data which may not be relevant to their therapy?

If you send newsletters or marketing information, or make cold calls, have you asked all of those on your mailing list permission to be contacted. If you send different types of communications,you must have specific permission for each type of communication. For example, if you send appointment reminders, you need separate permission to send via text, email and phone call. Marketing messages need specific permission for each type of communication, e.g. special offers, information newsletters.

This article is the first of a series and meant as a starting point to the new regulations. We would strongly advise you read all the information available from Information Commissioner’s Office (ICO).

Please be aware that not all the points of the legislation will apply to your practice – the legislation covers anyone from a giant corporation to a sole trader!

This article does not constitute legal advice. Please consult a Data Specialist or legal advisor for specific advice.