The 5 things you need to do to make your practice GDPR-compliant
Getting your head around the complexity of data protection legislation and your responsibilities and obligations as clinicians can be time-consuming and energy-sapping. Heads inevitably drop upon opening a 100-page “summary” of data protection legislation to find an array of sub-clauses, sub-sections and sub-paragraphs you need to learn. Fears are inevitably raised by media reports of fines for data breaches reaching into the millions of pounds.
The first thing you need to know about your data protection responsibilities is: it’s not that complicated. Don’t panic.
Firstly, because it really isn’t that complicated once you get beyond the terminology and legalese. And secondly, because there are a number of people out there to help, especially the Information Commissioner’s Office (ICO). Here at LCAP, we’ve put together a short, simple training on data protection and the General Data Protection Regulation (GDPR) to guide you through what you need to know and do. You’re almost certainly not going to be fined if you are doing your best to meet your obligations; only four organisations have been fined in the UK at the time of writing. The ICO is there to help, even where you have a data breach.
Your mindset is crucial. The relevant legislation gives ownership of personal data back to the individual citizen - in your case, your client. Your clients own whatever personal data they give you. That includes very simple data like their name, their address, their email address. If they want you to amend it, you should amend it. If they want you to delete it, you should (within reason) delete it. They have those rights.
Because it’s their data, you should only collect data from them which is absolutely essential to delivering therapy. You are borrowing that data, so you should treat it with the same respect you would treat a treasured object you were borrowing from a close friend. If it’s on paper, or a physical object like an external hard drive, store it in a locked filing cabinet. If it’s electronically stored - on your email account, on a Word document, on a cloud service - password protect it, and anonymise the data where you can (do you really need the client’s full name on their invoice, for example, or could you use their initials?). Don’t share a client’s personal data with any third parties unless you have express written consent to do so. And delete client personal data as soon as you can, depending on what your regulatory body and your insurance provider advise (seven years after the end of your work together is generally considered the latest point by which you should be deleting clients’ personal data).
Once you are approaching data protection with that client-focused mindset, the practicalities become much easier.
Don’t bury your head in the sand, though: you need to know your responsibilities to your clients; you need to take them seriously; and Brexit doesn’t save you! GDPR still applies given the Data Protection Act 2018 incorporated your GDPR responsibilities into UK law.
Here are five things you should think about doing now, if you haven’t already done them:
- Register with the ICO. It takes a matter of minutes. It costs just £40 a year. They’re there to help. Their live chat function is excellent. If you have any detailed questions, or need practical support, they can help. And if you’re unlucky enough to have a data breach, they will support you in improving your processes. It’s highly, highly unlikely you’re not legally obliged to register with them if you’re working with clients.
- Develop a Privacy Notice. This is basically a document describing what information you will collect from clients, an explanation of why you need it, a description of how you’ll store it, and how and when you’ll delete it. It’s for your clients.
- Get written consent from your clients to obtain and store their data. You can use your Privacy Notice for this. Make it clear at the end that they’ve read, understood and give consent to the processes in your Privacy Notice, and ask them to sign it. We show you how to do this and offer you a template Privacy Notice you can tailor to the specifics of your business.
- If you have a website, work with your site designer (such as Squarespace) to ensure you have a cookie policy and a privacy policy so that anyone who visits your site is aware of any data you are collecting about them. Don’t forget - individuals who don’t become clients will visit your website. They need to know if you’re collecting their personal data. You might not be aware of it. So check.
- Prepare for data breaches and Subject Access Requests, where a client asks to see any data you hold on them. This is as simple as: do you know where all your personal data is kept? Could you access it at short notice? If the answer to either of those questions is “no”, have a look at simplifying what you collect and where you keep it. If you have a data breach, your first step is to contact the ICO and discuss how to let clients know, and how to improve your processes.
So, in short: don’t panic, keep it simple, and respect your clients’ personal data. Do a few simple things well, and you’ll feel much more reassured that you’re meeting your legal and ethical obligations.
We offer more practical tips and templates as part of our simple, short but comprehensive online training on data protection and GDPR for therapists and counsellors. It gives you everything you need to calm your nerves and set you in the right direction.