If you haven’t already started to prepare for GDPR it would be advisable to start now!
Over the last few years, we have seen the NHS, Uber, Google, Talk Talk all being targeted and held ransom for clients' personal data. And more recently you may have heard about a leading London Clinic that was breached which lead to a criminal investigation and, worse, a lot of hard work to reassure and engage with the clients affected.
Due to the sensitive nature of the Aesthetic Sector we need to ensure that we comply with the forthcoming GDPR guidelines to limit our risk, as there will likely be many more of these events in the months and years to come. If you are thinking that it will be OK to put off compliance for the time being, after the 25th of May a breach could prove to be very costly, with a fine reaching up to 4% of your total turnover (that is not 4% of you profits!). This fine will be just one costly aspect of the breach – the damage to client relationships and your reputation could be far worse! The London clinic previously mentioned found themselves in the national and local papers, on the BBC news website, and on local news channels. How would this affect your clinic, especially if you are an independent practitioner?
As you work carefully through the guidelines for meeting the new GDPR standards it is important that you firstly make all your staff and colleagues who handle client data aware of the regulations, and that you then work together to identify your areas of risk. To help you make a start, it may be worth undertaking an information audit by answering these key questions:
What information do you hold? This could include: Consent forms (both written and online), personal contact details, medical histories, paper diary, photographs and payment information.
Where do you hold this information? This could include: CRM system, spreadsheets, PC, smartphone, tablet, online diary such as Google/Apple, paper diary and records, Cloud based storage, 3rd party venues such as salons.
Where does the information come from? This could include: Phone conversations, consultations online such as Skype, face to face consultations, emails, SMS texts, social media (Facebook, Snapchat, Instagram, LinkedIn, Twitter etc) and third parties such as salons.
Who do you share the information with? This could include: Phone conversations, consultations online such as Skype, face to face consultations, emails, SMS texts, social media (Facebook, Snapchat, Instagram, LinkedIn, Twitter etc) and third parties such as salons.
You may require a designated data protection officer within your practice. Are you an organisation that carries out the large-scale processing of special categories of data, such as health records? 'It is most important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.' This could be yourself or your practice manager.
Of course, you can always just keep doing what you have been without properly protecting your clinic, and hope that you won't be targeted by unscrupulous hackers, you won't accidentally share client information, or have your mobile device stolen and therefore simply fly under the radar... However, the chances of you being able to avoid any kind of breach are becoming more limited; you need to act to protect your clinic!
Remember: The deadline is the 25th of May, and it's fast approaching!
Share this post: