What does the GDPR mean for your clinic?

Arran HayesBusiness news, e-clinic Pro, e-clinic Standard, SecurityLeave a Comment


As of the 25th May 2018, all UK businesses that store consumer data will legally be required to adhere to the General Data Protection Regulation (GDPR). However, the implications of this new EU-led directive may still not be clear to many small business owners. A recent study showed that as many as nine in ten UK business owners weren’t sufficiently prepared for full compliance. In this blog, I will discuss the implications of the GDPR for a small business owner and in particular, for clinics.


One of the main concepts that GDPR changes is consent. Businesses currently need consent to process and store customer data. However, they only have to ask for consent once and this covers all uses of the data. When the GDPR regulations come into effect, businesses will legally be required to ask for separate permission to use consumer data for different things. A clinic will have to ask for consent to use data for marketing, maintenance and fraud checks separately, and they will also have to provide records of when the consent was given. Service providers may not assume consent by providing pre-ticked boxes, instead, they must make consent clear in all legal contracts. e-clinic allows the creation of multiple consent forms for various treatments and purposes which can be signed as a paper document or on an iPad.

Right to erasure

Another fundamental change under GDPR is the right to erasure; this gives patients the option to withdraw consent they have previously given to a clinic. If an individual withdraws their consent, the clinic will have to delete any information they hold regarding that individual. Furthermore, if an individual is concerned about the accuracy of the data a clinic holds about them, they will have the option to restrict the processing of their data. This will essentially freeze the data until the individual gives permission for it to be processed again.

However, there are exceptions due to other legislation in terms of a person’s right to erasure. For example, an HR department cannot legally delete a staff member’s tax records, even if that individual leaves the company and requests deletion of their data. As medical records are required to be kept for a minimum period of time, a clinic could remove an individual from marketing lists but would be required to keep medical records for procedures which had been undertaken. However, it may not be appropriate to keep them on a ‘live’ system and so archiving their record may be a more suitable option.

Data portability

Some patients may ask for a copy of their data rather than requesting its deletion. A clinic must be able to provide the patient with a machine-readable copy of the data they hold about the individual and the GDPR also asks businesses to provide supporting material as a part of this process. The supportive material must include the categories of data they hold as well as their reasons for processing the data. All of this must be completed within a month of the request being submitted.

This aspect of the GDPR may cause issues for small businesses and some clinics for a couple of reasons. Although large companies are likely to have a process for handling data, many smaller businesses will not have a formal process for this. This could be an issue: if data is spread out across different network folders, databases and individual PCs, then the business may have problems retrieving it. In e-clinic, all data relating to a patient is attached to the patient record, so there is no need for numerous folders of data.

Data breach notification

If there is a breach of data security, under the GDPR, it is mandatory to notify regulators. This is the case for small clinics as well as large ones, as all businesses will be asked to provide a procedure for notifying local regulators, and sometimes customers, of a data breach. A lot of people think that Brexit will mean that they are free from all this hassle, unfortunately this is not the case. Firstly, UK businesses will legally have to adhere to GDPR long before we leave the EU and secondly, the UK will be expected to demonstrate similar and equivalent rules if they wish to exchange data with the EU.

Preparing for GDPR

Changes lies this can create a great burden of work for clinics and other small businesses. The Information Commissioner’s Office (ICO) has created a useful guide that outlines the various steps that businesses should go through to ensure that they are fully prepared for the GDPR coming into action in May 2018. Below is a list of the important steps that a small business need to take:

  1. Assess data holdings – It is vital to audit all the data you hold as well as data that is held by third-parties. As this is such an important step, it may help to bring in a consultant to complete the audit.
  2. Review legal frameworks and your approach to consent – It is important to keep a legal document of what you’re doing with client data as you will need to provide legal justification for using it. It is also important to evaluate how you obtain consent and the reason for obtaining it and then make appropriate changes to systems and processes where necessary.
  3. Review your ability to process requests – You must ensure that you have procedures, as well as the correct technology, in place to provide customers with information regarding holding their data. One possibility is to provide customers with online options to request their data, as doing it manually will drain your time.
  4. Review your approach to children’s data – The GDPR required a child’s parents to give consent to use their data, therefore it is essential to document any processes related to the collection of children’s data.
  5. Prepare for data breaches – It is crucial that you have appropriate procedures in place to deal with a data breach. You must be able to detect, investigate and report a breach of data. At e-clinic, we undertake penetration testing on our hosting platform and we recommend that our clients use e-clinic to check the logins data for unauthorized logins.
  6. Review system privacy and implement impact assessments – Any system that processes high-risk data must be designed around privacy principles and conducting impact assessments for these systems will make sure that you are working within the GDPR requirements.
  7. Consider a data protection officer – A data protection officer will oversee privacy arrangements and ensure that you are working within the GDPR. For a small clinic with constrained resources, an external consultant might be a helpful idea.

If you would like to find out more about how e-clinic can help you meet your obligations under the GDPR, please do not hesitate to contact us.