I guess, like me, many of you have had a four-letter word constantly going around your head for the past few months. OK, so technically speaking, GDPR is an abbreviation not a word, but hopefully you’ll forgive me a bit of artistic licence.
In my conversations with clients I am sensing in some cases a feeling of panic and impending doom. It seems even our MPs are going through the same thing.
The quote from the Information Commissioner’s Office (ICO) in that article might help the panickers gain some perspective. In the words of the ICO: “We are not going to be looking at perfection, we’re going to be looking for commitment.”
That’s a crucial message for any small firm feeling stressed about GDPR. I think there is an understanding at the ICO that businesses are at the start of a process, that they’ll inevitably make a few mistakes as they go along, but that what really matters is that they are taking this seriously and have a plan. What’s key is that companies understand that that going forward, they must process the data they hold in a responsible way and with the full consent of the data subject.
Personally, I see GDPR as something to embrace rather than fear. We should all see it as a wake-up call to get our houses in order when it comes to managing personal data.
At e-clinic, we’ve been planning for GDPR for some time. Several years ago, we introduced our own hosting platform and one of our primary objectives was to provide clients with secure, ISO27001 certified, UK based data centre hosting. Our data centres, located in Derby and Wakefield, are also Tier 3 secured, which means that they are staffed 24/7 with full CCTV and three physical barriers to entry and exit, with visitors by appointment only. The remote app used to access e-clinic via the web is encrypted at 256bit AES and always has been.
For additional security, we have recently installed new SSL certificates to encrypt the data traffic between our own servers as well the traffic between our servers and our end users. We will also be setting all data files hosted on our servers to be encrypted at rest before the end of the month, even though the files are never actually ‘at rest’.
Where clients choose to host their own data, we have no control over the security of their own network environment. We would urge clients in this position to seriously consider a move to our cloud hosting package, unless you can be sure that your own systems meet the same security standards. We are happy to consult with those clients to advise what steps can be taken and what we can do to help. In some cases, options may be limited. For example, if your server is on a local domain (dataserver.myclinicname.local) as opposed to a fully qualified domain name (dataserver.myclinicname.co.uk), you will not be able to secure your e-clinic traffic with an SSL certificate within the network. This doesn’t necessarily mean your data is not secure (if for example there is no access from outside your own network) but it certainly reduces security and would make permitting outside access dangerous.
In terms of our own processes, we are changing the way support calls are handled. We will now be explicitly keeping a detailed record of all requests where a support request requires a member of our team to access your patients’ personal data. This means that we only accept support instructions via email to firstname.lastname@example.org. For additional peace of mind, we will also be updating our own CRM over the next two months to only permit access requests from named contacts. We appreciate that this may be inconvenient at first, especially for clients who have been with us for many years, who have developed a rapport with the team and like to call. However, we feel that a reportable audit trail is in the interests of both parties and is an essential part of compliance. Where a support request doesn’t require data access, for example if you’re having problems connecting, then we can still accept a request by phone, but will still ask you to verify by email if we need to connect to your computer via Logmein.
With regards to the software itself, we have introduced a number of new features which will help you on your journey to full compliance.
e-clinic already has a mechanism to enable patient consent to marketing to be turned on or off for different marketing channels. However, typically, people have set the defaults for this to be on in all cases. GDPR requires that you have an explicit opt-in from patients so we would recommend that you turn these off by default and turn them on as you receive consent. e-clinic’s marketing features have been compliant for a very long time, in that if you build a marketing campaign in e-clinic, patients who have opted out of marketing will always be excluded from campaigns, even if they meet all of your search criteria.
If you feel you need to seek consent again for marketing, we would recommend that you use either e-clinic’s marketing system (or a third-party system such as Mailchimp) to send an email to those who have not already opted out asking them to re-consent. We will be providing a new feature to all hosted clients which enables them to clear all current consents before gaining fresh consent from their current patients.
Under GDPR, patients now have a right to be forgotten. e-clinic has a new feature which allows you to ‘forget’ a patient. In the settings, you can define a period for how long you are legally required to keep data (7 or 10 years for example) and e-clinic will first of all check the patient’s record to ensure that there are no legal restrictions. If there are, you will be warned and the patient will be marked as ‘no marketing’. If there is no data restricting the process, the patient record will be anonymised and deactivated. This will still enable you to report on statistics such as the number of enquiries received in a period, but ‘forgotten’ patients will not be identifiable in any way.
The act also has a requirement for data portability. e-clinic will have a new feature which enables an individual patient’s core data to be exported to a series of Excel files (patient record, appointments, financials and so on). These files can then be sent to the patient who can then give the data to another provider to import into their own systems.
In addition to the mandatory requirements, we’re also providing a few extra features to help reduce the number of calls you need to make where data access is needed. For example, we’ll be introducing a simple option to reset an appointment status (where you have completed a patient by accident, for example) along with an ability to remove an attachment which has been uploaded incorrectly (to the wrong patient record, for instance).
We will be adding a number of new features to the next version of e-clinic which is scheduled for later in the year and we’ll be revealing those in the coming months. However, with the Friday deadline looming, we believe we have the bases covered in terms of GDPR compliance.