What is GDPR
The General Data Protection Regulations bring about the biggest change to data privacy laws for over 20 years. Passed by the European Parliament, the regulations give all EU citizens greater control over their personal data. This includes how and where it is stored by businesses and organisations. The regulations also govern the export of data out of the EU (for example, if you are using US-based Google Drive, then your data is transferred out of the EU).
The UK’s independent body for data protection is Information Commissioner’s Office (ICO). Any breaches of data must be reported to the ICO and any fines for non-compliance will be issued by the ICO. Fines will be €20million or 4% of global turnover, whichever is higher.
Your responsibility under GDPR
You are responsible for the lawful processing of any personal data. Under the regulations you must advise your clients how you are using their data – how and where it’s being stored, for how long and what you are doing with their data.
So what counts as lawful? Well, under the GDPR there are six lawful bases. You will be required to communicate to clients under which lawful basis you are processing their data. You can find details of the lawful bases on the ICO website.
What constitutes personal data?
Personal data is any type of information that can identify a person, either directly or indirectly. This can include such things as name, address, email, telephone, bank details, computer IP address, location and social media accounts.
Important to note that data held offline, ie on paper, is just as relevant as that held online.
Additional important considerations for health and wellness professionals
Under GDPR (Article 9), certain types of data are deemed more sensitive and known as special category data. Health is one such type of special category data. Thus you will need to take extra steps to ensure the security of this data and privacy of your clients.
The reason health is categorised as sensitive data is because it could compromise a person’s fundamental rights and freedoms, potentially putting them at risk of discrimination. For example, a pregnant lady at risk of discrimination at work, or a client with emotional difficulties around their sexuality could feel discriminated against.
You will need to meet at least one of the conditions of Article 9 (2) to ensure correct processing of your client’s personal data.
Data Controller and Data Processors
The Regulations give two definitions for people who deal with data. A Data Controller is someone who ‘determines the purposes and means of processing data’ whilst a Data Processor is responsible for processing the personal data on behalf of the Controller. Both Data Controllers and Data Processors could be liable for any breach of data.
Clearly you could be both Controller and Processor. Should you use a Virtual Assistant to help you with such things as CRMs, email marketing or general client admin, they will be the Data Processor whilst you will be the Data Controller. That doesn’t negate your responsibility. It’s up to you to ensure your contracts with third parties comply with GDPR.
What exactly do you need to ensure you are compliant
This is where I hand over to Annabel Kaye of KoffeeKlatch, legal experts in employment law. Annabel is working with a variety of different groups to ensure they are GDPR compliant and has set up a group specifically for health and wellness professionals. In the video below find out more about GDPR and what you need to consider as a health and wellness professional.
There is so much to learn about GDPR, how it applies to your business and what documents you will need to ensure you are complying. Don’t worry too much if all the above seems a little overwhelming. This is why I highly recommend you join the Koffee Klatch GDPR for Therapists group
What you will you learn and receive:-
- An audit of the personal and client data you hold
- How to secure your data and share it appropriately.
- How to handle consent and how that affects health-related information (details on consent are still being finalised by the ICO).
- Understanding your data protection responsibligties as a business owner
- Where you data is located – do you where your software platform keeps it?
- How this affects how you collet and use health-related data.
- Where enhanced consent is vital
- Answers to your own questions on GDPR.
- A year’s membership to the GDPR Facebook Group where you will be supported by GDPR experts and other health and wellness professionals.
I’ve been in Annabel’s Virtual Assistants’ Group and I’ve got such a greater understanding of what I need to do to become compliant. Things like how to encrypt my devices, where my data is held and how to find out have been invaluable. You will find a series of checklists in the Group which you can work through in your own time. Updated information on GDPR will be provided as and when it is released by the ICO.
Resources and Links
Many of the online websites where you might store data are based in the US and can register with Privacy Shield. Click here to check if the companies you are using are on the Privacy Shield website.
As you deal with personal data you should register with the ICO. It’s currently £35 but from 1st April will be up to £55 depending on criteria.
Koffee Klatch’s GDPR Group for Therapists will be an invaluable tool in helping you become GDPR compliant.
Disclosure: I’m an affiliate of KoffeeKlatch which means I receive a small commission if you buy anything from them through my link.