The new GDPR Regulations and is your Dental Practice compliant?
GDPR (General Data Protection Regulation) has been in the news for many months now but the dental practices we have spoken to have no idea what it is, how will affect their dental practice and what they need to do to be prepared for it especially when it comes to marketing.
For this reason, we decided to write a blog on this topic and explain what GDPR means for dental practice and what they have to do to ensure they comply with GDPR for dental marketing.
Watch the video below or you can continue reading.
There has been a lot of scares mongering from legal firms, and other industries about the fines and legal battles that businesses will face. But the truth is that some companies and organisations will no doubt will face these but only a handful of unethical businesses who are heavily involved in the outbound sales industry so let us be the first to say this, it is not a monster that you need to lose sleep about or fear. The dental industry as a whole is pretty much ahead of other organisations because of how regulated we already are which has led us to be protected, in all areas.
What exactly is GDPR?
General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC)[2] of 1995. Source: Wikipedia.
This regulation will come into effect on the 25th May 2018
We will break this down for you.
Data is being collected, passed on to third-party companies, sold and used amongst organisations. The new regulation will give a right to anyone to ask a company what data they hold on them, who this data is being shared with, how they got this data and for the organisation to remove their data. These are simple basic rights which every consumer should be able to attain.
People want more control over what is happening with their data, and this regulation will give control back to the people. Data is being collected every second by insurance companies, website cookies, businesses selling your data to other businesses, businesses using your data for marketing purposes etc.
As dental practices, you all have Data Controller in place who is usually the practice owner or the practice manager. This person is responsible for ensuring that all data of patients are kept safe, and all policies are in place to ensure everything is up to date with according to the ICO (Information Commissioner’s Office) and the Data Protection Act.
The Data controller will need to ensure that the practice is GDPR compliant and the relevant policies are in place.
Your GDPR Privacy Policy
Creating a GDPR Privacy Policy for your dental practice is a requirement which needs to demonstrate and show a framework based on this ICO checklist >>> https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/
The GDPR includes the following rights for individuals:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to automated decision-making including profiling.
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy especially for dental practices which comply have a Data Protection Policy in place as well as registered with ICO.
It is a good time to check your procedures and to work out how you would react if someone asks to have their data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
GDPR and Marketing
Marketing is our area of expertise. Marketing and data have always gone hand in hand and with more data being collected, the better the
marketing results because data allows you to analyse and improve marketing campaigns, but there is a fine line between data to improve marketing and data acquisition to execute spammy marketing campaigns.
The type of data that most dental practices collect via marketing includes;
– Cookies on your website for tracking purposes
– Lead information collected by online ads such as Facebook Ads and Google Adwords
– Website contact form where people can make online website inquiries
– Email addresses for email campaigns such as monthly newsletters etc
– Email addresses for Facebook Ad campaigns
Cookie Policy
Most websites track the people who visit them to learn more about their behavior and preferences allowing to target them with specific ads usually through Google Adwords.
In order to comply all you need is an updated Cookie Policy on your dental website, and you need to get consent from website visitors to store or retrieve any information.
We have created an updated version of a Cookie Privacy Policy for Dental Practices which you can use immediately.
New Patient Enquiries via Online Ads (Leads)
Now it depends on what you want to do with the information people submit to you, usually via a landing page of some sort. You must also
remember when people fill in your landing page that they are giving you consent to be contacted, for what they have requested, e.g. Free Consultation.
Using patient details for Facebook Ads, Email Campaigns etc., then you will need to get their consent that they are ok with you contacting them for marketing and promotional purposes. These can merely be via an opt-in button that the patient has to tick (not untick).
It is a must to have a process of recording where and how you got their data, e.g. Facebook Ad Landing page and a means of finding this data if the patient ever requests it in the future. These can simply be done with an Excel document but keep on top of this, is a bit tricky.
Website Contact Form
Any potential patients use your website as a place to contact you, usually via the ‘Contact Us’ page, then you will need to make sure the data they send via your website is protected and encrypted from Hackers.
A simple way of doing this is through the use of an SSL certificate. They are relatively cheap these days and provide website visitors with a notification that your website is protected, by displaying a padlock in the browser.
Existing Patients Email Addresses
Like many other practices,if the email addresses of your current patients, you will need to get proper consent for sending them any emails, especially for email marketing.
This medium does not only protects you from CAN-SPAM law that can mark your practice email address as a spammy email address and prevent you from contacting people straight to junk folder) but also protect you from the GDPR law.
Using a simple opt-in box on a medical history form is the simplest way, but you have to ensure you explain what you will do with their email address, e.g. Contact them occasionally with promotions and practice updates. You already should be storing your Medical History forms, so this allows your marketing consents to be, safely stored.
Regardless of how you use patient’s details for marketing, you must ensure you store it safely with as much detail as possible on how you acquired it. Make notes on the patient record inside your dental software and scan any relevant documents into their records or folders.
Nearly all dental practices in the UK will most likely never share their data with any third party companies except the NHS which you already get the patient’s consent to do so.
Team Work
As with any successful business in the world, teamwork plays an essential part in every aspect. Get your team involved in the creation of
the GDPR Privacy Policy and ensure all team members are aware, training on the procedures and have a contingency plan in place if a patient ever requests information on their data.
