GDPR, which stands for the General Data Protection Regulation, is a comprehensive data protection law that was introduced in the EU on May 25, 2018. Its primary objective is to safeguard the personal data of individuals within the EU and the European Economic Area (EEA). However, its impact is felt globally, as it applies to any organisation, regardless of its location, that processes the personal data of EU and EEA residents.
GDPR is a huge topic and so the purposes of this blog is to pick out the key highlights as they apply to private practice and to explain what we need to do in our businesses to ensure we are compliant with the law. *See content disclaimer below.
What Do We Mean by Processing Data?
Under the General Data Protection Regulation (GDPR), processing data encompasses all actions taken with personal data, including collection, storage, retrieval, alteration, sharing, and more, whether done manually or automatically. GDPR applies to both electronic and paper-based records and requires strict compliance by organisations that collect or process personal data.
Personal data includes any information related to an identified or identifiable individual, whether through direct identifiers like names and email addresses or indirect identifiers that, when combined with other data, can lead to identification.
Sensitive data is a type of personal data such as health or genetic information, and even pseudonymous data if re-identification is possible. Processing of sensitive data requires stricter regulation under GDPR.
A data controller is an entity or individual that determines the purposes and means of processing personal data. They are responsible for deciding why and how personal data is processed, making key decisions about data processing activities. As a health professional offering services to clients, you are the data controller, and therefore responsible for the lawful processing of personal data.
A data processor is an entity or individual that processes personal data on behalf of the data controller. Data processors act according to the controller's instructions, carrying out the specific data processing tasks required.
Examples of data processors in private practice are virtual assistants, receptionists, book keepers, web developers, social media managers, and accountants. Accountants can also be a Data Controller as they have obligations under GDPR that may not be under your instruction, e.g. to report information to their regulatory body against your instructions.
Other examples of data processors are companies that provide software and services to your business, e.g. Google Workspace, Xero, WordPress, Mail Chimp, Writeupp and Microsoft Office.
Both data controllers and data processors have distinct responsibilities and obligations under GDPR, with controllers primarily responsible for compliance with the regulation's requirements and processors obliged to follow those instructions and implement security measures to protect the data they process.
A Data Protection Officer (DPO) is a designated individual or position within an organisation responsible for overseeing data protection and ensuring compliance with GDPR requirements. The DPO's role involves monitoring data processing activities, providing guidance to the organisation on data protection matters, conducting data protection impact assessments, and serving as a point of contact for data subjects and supervisory authorities.
The appointment of a DPO is mandatory for certain types of data processing activities, particularly those carried out by public authorities or organisations engaged in large-scale, regular and systematic monitoring of individuals or large scale processing of sensitive data, or data related to criminal offences. The ICO has guidance on whether you need to appoint a DPO, but most health professionals and private practice businesses do not come under this type of processing and so it is likely they not require the appointment of a DPO.
A Senior Responsible Officer (SRI) is a role that may be introduced under the new edition of The Data Protection and Digital Information Bill (currently under review). It is thought that this role will replace the DPO role and may be relevant for all businesses regardless of business size or scale of processing.
The Information Commissioner's Office (ICO) is the UK's regulatory authority for GDPR and it is responsible for upholding information rights, promoting data privacy, and ensuring compliance with data protection laws. The ICO provides guidance to organisations, investigates data breaches, enforces data protection legislation, and educates the public about their rights regarding personal data. It serves as a vital guardian of individuals' data privacy rights, helping to create a responsible and accountable data-driven environment in the UK.
Entities and individuals responsible for processing personal data must register with the ICO. This registration serves as a declaration of the organisation's commitment to complying with GDPR principles and requirements. It involves providing details about the nature of data processing activities and appointing a Data Protection Officer (DPO) where necessary. Registering with the ICO is an essential step for businesses and entities handling personal data, ensuring transparency and accountability in data processing practices while helping the ICO monitor and enforce GDPR compliance effectively.
Processing Data Lawfully
Lawful Basis For Processing Personal Data
Each processing activity must have a clear and lawful basis for processing personal data and the basis for processing this data should be documented. These six lawful bases include:
Consent: An individual has given clear consent for their personal data to be processed for a specific purpose.
Contract: Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering a contract.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which a data controller is subject.
Vital Interests: Processing is necessary to protect someone’s life.
Public Task: Processing is necessary for the performance of a task carried out in the public interest or for official functions and the task or function has a clear basis in law.
Legitimate Interests: The processing is necessary for a data controller’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Then this data should be processed under the following seven principles:
Lawfulness, Fairness, and Transparency: Data processing must be done lawfully, fairly, and transparently. Individuals should know how their data is being used, and this information should be easily accessible to them.
Purpose Limitation: Personal data should only be collected for specific, explicit, and legitimate purposes. It should not be used for any other purposes without the individual's consent.
Data Minimisation: Organisations should only collect and process data that is necessary for the intended purpose. Unnecessary data should not be collected.
Accuracy: Data should be accurate and kept up to date. Organisations are responsible for ensuring the accuracy of the data they hold.
Storage Limitation: Data should only be kept for as long as necessary for the purposes for which it was collected.
Integrity and Confidentiality: Data should be processed in a manner that ensures security and confidentiality, using appropriate technical and organisational measures.
Accountability: Organisations are responsible for complying with GDPR and must be able to demonstrate their compliance.
Under GDPR, individuals have enhanced rights concerning their personal data, including:
The Right to Access: Individuals can request access to their personal data held by organisations.
The Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.
The Right to Erasure (or "Right to be Forgotten"): Individuals can request the deletion of their data under certain circumstances.
The Right to Data Portability: Individuals can request their data in a structured, commonly used, and machine-readable format for transfer to another organisation.
The Right to Object: Individuals can object to the processing of their data, especially for direct marketing purposes.
The Right to Restriction of Processing: Individuals can request the restriction of data processing under specific conditions.
GDPR: What Do We Need To Do?
Data Inventory
The ICO expect organisations to have a clear understanding of their data processing activities and the lawful basis for processing such data. Therefore, one way to do this is to create a data inventory to document and track all the personal data your business processes. This inventory includes details such as the types of data collected, the purposes for which it is processed, how it is stored, who has access to it, and how long it is retained. This must be reviewed and updated with new processing activities, or when making decisions around using new software or data processors. The ICO has a template document for recording processing activity here.
Data Security Measures
Data security refers to the measures and practices put in place to protect personal data from unauthorised access, breaches, or any form of compromise. This encompasses technical and organisational safeguards such as encryption, access controls, regular security assessments, and employee training to ensure that personal data remains confidential, intact, and available only to those with the proper authorisation. As data controllers we should ensure that the data processors we use are adhering to good data security and have had adequate training. It is ideal to have a data security policy for your business which may outline your expectations for use of IT equipment and physical files. The ICO has some guidance here.
Data Processing Agreements
A Data Processing Agreement (DPA) is essentially a contract between the data controller and data processor that outlines how personal data will be processed on behalf of the data controller by the data processor and clarifies the responsibilities and obligations of each party. A DPA ensures that both parties adhere to GDPR requirements, including data security, confidentiality, and the protection of individuals' rights.
The ICO will expect businesses processing personal data to have a DPA in place with each data processor. Where you are using a data processor that is a large organisation (e.g. Google Workspace, Microsoft Office, Writeupp, Xero etc) such organisations should have their own standard Data Processing Addendum documents instead of an individually signed and agreed DPA with you. You need to have a DPA for each data processor you use, and access, review and store the Data Processing Addendum's for each data processors you use. The ICO have guidance here.
Privacy Notice
A Privacy Notice, also called a Privacy Policy, is a public facing formal document that outlines how an organisation collects, processes, and protects personal data. This document is a crucial part of GDPR compliance and serves as a means of transparency and communication between the organisation and individuals whose data is being processed. A GDPR-compliant Privacy Notice should detail the types of data collected, the purposes for which it's used, how long it's retained, and the individuals' rights regarding their data. It also explains the lawful basis for processing and provides contact information for data-related inquiries or concerns.
You should have your Privacy Notice available on your website with a clear link to this in your footer, and at any point that you enable people visiting your website to enter personal data (e.g. through a contact form). If you do not have a website then you must provide this to people who enquire or take up your services via email or using a paper copy. The ICO have guidance here.
TOP TIP: Avoid using AI to create documents which have legal implications for your business such as your privacy notice as these services tend to be out of date by a few years and tend to miss out important aspects of UK law relating to GDPR that is essential for legal compliance.
Cookie Policy
A Cookie Policy is a document that informs users about the use of cookies and similar tracking technologies when visiting your website. This policy outlines the types of cookies used, their purposes, and how users can manage or disable them. It plays a crucial role in ensuring transparency and compliance with data protection regulations by providing individuals with information about how their online activities are tracked and their data is processed. By giving users the option to consent or reject cookie usage, cookie policies empower individuals to make informed choices about their online privacy. You can combine your Cookie Policy in your Privacy Notice if it is an online Privacy Notice. If you do not have a website then you do not require a Cookie Policy. The ICO have guidance here.
Consent Mechanisms
Consent, as defined by GDPR, is the freely given, specific, informed, and unambiguous expression of an individual's wishes through a clear affirmative action, such as clicking an opt-in box or signing a consent form, indicating their agreement to the processing of their personal data for a specified purpose. It is essential that consent is freely given, and organisations must make it as easy to withdraw consent as it is to give it. Individuals have the right to withdraw their consent at any time.
GDPR places a significant emphasis on the transparency of consent mechanisms, ensuring that individuals fully understand what they are consenting to. In the case of sensitive data, consent must be explicit such as a statement on an intake form which states something like: "By entering my medical details below, I explicitly consent to my medical questionnaire (including any data in it about my physical and mental health) being processed by [company name] for the purpose of [e.g. assessment and treatment of my mental health difficulties]" (Suzanne Dibble, 2020, GDPR for Dummies).
Similarly, when providing a contact form on your website for people to submit information to enquire about health services, as people may submit sensitive data (e.g. health data) within this form it is necessary to ensure explicit consent to this processing. You can do this by providing a statement that draws the person's attention to your Privacy Notice, add a link to your Privacy Notice, and a tick box to confirm that they understand their data will be processed in accordance with this. This needs to be located at the place they will enter their data, and ensures explicit consent before they submit their information. The ICO has guidance here.
International Transfers of Data
On first glance most of us would assume we do not transfer data internationally, but if we are using a data processor (e.g. Google, Zoom, Microsoft Teams etc) that has its servers based outside the UK or EU, then we are transferring data outside of the UK/EU to the US. This is what GDPR means by international data transfer.
Therefore, we must first check which country the data processor is based in to see if that country is deemed to have an ‘adequacy finding’ in the eyes of the European Union which means its upholds the same standards for data privacy as GDPR law.
If it is not deemed a country with an adequacy finding (e.g. at the time of writing this post the US does not) then to check if this country has its own Data Privacy Framework that is deemed to offer equivalent safeguards as GDPR. The US now has The Data Privacy Framework which some US organisations have signed up to.
Thankfully Google, Microsoft, Zoom, Squarespace, Wix are signed up but some organisations are not e.g. Wordpress, Elementor.
Where there is no existing framework or adequacy finding to ensure that international data transfer will be protected to the standard of GDPR then you will need to reply upon Standard Contractual Clauses (SCC’s) within your terms with these data processors. So if you had a VA or we designer located in a country that is outside such data protection then you would add these clauses into your Data Protection Agreement (DPA) with them.
If they are a bigger organisation you would not have an individual DPA with them but they should have a Data Processing Addendum which is a more general agreement that all people accessing their services will go by. So check they have this and that SCCs are included in them.
If none of the above are possible then you will need to ask the explicit consent of your data subjects for processing in this way with this data processor. You can indicate this in your Privacy Notice.
Do Your Due Diligence on Data Processors
It is our responsibility as data controllers that the data processors we use are processing data lawfully. This includes software we use and people we hire that will act as data controllers.
If a data processor has a breach of the data it processes for you (e.g. you are using Google Drive and it is hacked or your VA has a data breach) then you would report to the ICO, then if the data breach has serious risks to the rights and freedoms of your data subjects (which with health data it would be considered to), then you may need to notify the data subjects. The ICO would then investigate and if it was found that you didn't do your due diligence on the data processor then you would also be found liable. So what do we need to do:
Firstly, check that the data processor understands GDPR and is compliant. GDPR compliant processors will have a privacy notice that illustrates what data they are processing, how they are processing it and under what lawful basis they are processing it.
They should also have a Data Processing Agreement with you, or if a large company they won't enter into an individual agreement with you but they will have a Data Processing Addendum that is accessible online. Review and save a copy of this.
If the data processor is based in the UK, EU or other adequate country (see section above on international transfers) then you don't need to consider extra safeguards as they are deemed adequate for data privacy.
If they are based in the US as many data processors are then you would need to check that they are certified with the UK extension to the EU-US data sharing framework. If not, then you need to put in place the international data transfer agreement (see above section).
Document your process regarding these data processors so you have them on file. I also suggest an annual review of their DPA and privacy notice.
Further Resources
The Information Commissioners Office has a wealth of information on GDPR and your requirements as a Data Controller. It also has information about your responsibilities when taking on a Data Processor, such as a Virtual Assistant.
The ICO checklist to improve your understanding of data protection and find out what you need to do to make sure you are keeping people’s personal data secure.
This guide explains the general data protection regime that applies to most UK businesses and organisations. It covers the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.
Suzanne Dibble (2020) GDPR for Dummies
GDPR expert and Data Protection Lawyer Suzanne Dibble has written a comprehensive book about GDPR.
Government approved training for small businesses on cyber security.
Legal Template Packs for Health Professionals
If you have found this article helpful and would like to purchase some legal templates for your business then you may be interested in the resources below.
*Affiliate commissions: I earn affiliate commissions from Suzanne Dibble products and services but this does not affect the price you pay.
The Website Compliance Pack is a template bundle containing the following templates:
Website Terms of Use
Privacy Policy
Cookie Policy
The Pros: Downloadable legal templates to cover the main legal requirements for your website.
The Cons: The templates alone will not be tailored to your business and you will need to adapt these to your particular business needs.
The GDPR Compliance Pack which contains 20 legal template documents and checklists, with associated video guides.
Email for refreshing consent, GDPR compliant privacy policy, GDPR checklist including processing checklist
Data processing inventory, Legitimate Interests Assessment form, Data transfer checklist, Processor Agreement
Marketing checklist Records retention policy, DPO checklist
Employer checklist, Employee privacy statement
Employee subject access request form, Response to employee subject access request
Cookie policy, Subject access record
Data breach record, Data breach checklist, DPIA form, Data Retention Policy
The Pros: Downloadable legal templates to cover the main legal requirements for your website.
The Cons: The templates alone will not be tailored to your business and you will need to adapt these to your particular business needs.
This programme provides the full range of legal protection for your business to include:
Over 120 template documents
Over 120 video guides
8 week mini law school
Special coaches and consultants module
GDPR documents and website compliance
Employment and Contracting
Terms and Conditions
Intellectual Property Protection
Business structures guidance
Finance and getting paid
Updated with the changes to law
Direct access to Suzanne (Savvy Shay Business Club Members only)
The Pros: This programme is a comprehensive programme with numerous training videos so you can learn the legal basis for the documents, and understand what the terminology means, what certain clauses mean and how to combine them. It also involves live consultation sessions with Suzanne to help you to adapt the Terms and Conditions for your business.
The Cons: There is a considerable amount of content to consume to fully understand the process, so it is worth engaging in this when you feel you have the time and headspace to really dedicate to it. The advice given is general legal advice that can be adapted to your personal circumstances but Suzanne holds no liability for this to be considered bespoke legal advice and is clear that she is not acting as your solicitor in such cases, as this would incur an additional fee to fully understand your case.
Tash is a lawyer with corporate and commercial legal experience who specialises in helping coaches and consultants establish their legal systems for their businesses.
(Membership) Legal Hub for coaches £890 pa or £89 p/m
Legal Essentials Bundle £297
Individual smaller bundles £97 each
Pros: Easily downloadable legal templates to cover all of the main areas of running a private practice business. This also includes a video to guide you through how to use the templates. She also offers a more in-depth membership which provides templates along with coaching and masterclasses.
Cons: The templates alone will not be tailored to your business and you will need to adapt these to your particular business needs. However, the membership programme will likely help to address this with coaching and masterclasses.
The Private Practice Suite Business Consultations
For support to optimise the way you run your private practice or to think through particular challenges you are facing in your business, or a particular business goal, please get in touch to see how Private Practice consultations can help you.
We offer one off 1:1 business consultation sessions via video conferencing or you are welcome to book a package of consultations if you would like to work on a specific business area over a few sessions.
Please get in touch for a free 15 minute consultation.
*CONTENT DISCLAIMER
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to financial advice and you should not rely on the contents of this article to make decisions for your business. Professional advice should be obtained to explore your personal circumstances before taking or refraining from taking any action as a result of the contents of this article. Dr Sarah Simmonds, Trading as The Private Practice Suite disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.
** AFFILIATE DISCLAIMER
I recommend products and services that I have used myself or I have reviewed and believe to be helpful. Links marked with ** earn an affiliate commission for my recommendation of them to you. I ask that if you found this blog post helpful then I would value your appreciation by use of my specific referral link at no extra charge to you. Alternatively, if you do not wish for me to receive affiliate commission on such products then you can search for the links via traditional search engine or via links provided by others.
Comments