Let’s take a brief look at ways that you could inadvertently breach GDPR...
Hackers are always looking for new ways to get into our devices. Laptops, tablets, PCs and smartphones all need to be protected against breaches. If you are keeping any of the following information on your mobile phone or tablet you need to reconsider how you are managing this data: client names, numbers, text communications referencing their treatment, a diary or treatment history. All devices containing this type of information need fully encrypting – this is not the same as your device's general password. A quick Internet search will help you encrypt your device. You need to be hacker proof!
If you unfortunately have your phone or tablet stolen, you simply lose it, or send it off for repairs and someone accesses your clinic data, this would be considered a very serious data breach that will need addressing as per the new GDPR guidelines. An encrypted device would mean protection against this eventuality.
How often have you had a phishing email from someone that has turned out to be a hack, or virus? It could (and probably will!) happen to you, so consider using an email encryption platform such as Egress, if you are sending confidential client information. Additionally, what if you were to send an email or letter to the wrong client? This could result in highly confidential information being shared, and perhaps even lost – this is something you do not want! When speaking to clients on the phone are your staff writing down client contact details and then simply disposing of them in the bin? You need to work with your team to stop practices like this that would be a breach of your clients' data.
How do you currently seek and manage consent to use an individual's data? Following GDPR this permission must be acquired during the initial contact, which is most likely to be a telephone conversation or via email communication. It's down to you to ensure your clinic staff are trained to handle these conversations so that they are in line with GDPR. Remember consent requires a positive opt-in, so you can't continue to use pre-selected boxes or any other method of consent by default as this is no longer permitted!
Have you considered what happens if your premises are broken into and your client files and paper diary are not under lock and key? Some intruders may look specifically for these kinds of documents and you must ensure that you sufficiently protect your clients' precious data. Are you currently working from a salon or other 3rd party premises that has your client data on their unprotected systems? It is your responsibility to ensure your clients' data is protected.
In considering your approach you will need to anticipate your future communication needs with a client, for example, do you currently contact clients to remind them when appointments are due or to follow up after treatments? This is the area of GDPR from which claims are most likely to arise, so make sure that you have watertight protocols in place. There is detailed guidance on consent as follows: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
You may be asking yourself what the consequences could potentially be if any one of these things happens to you... You may receive a fine of up to 4% of your turnover – yes that is turnover not profit! To give an idea of the enormity of the changes; in 2016 the ICO issued fines to the value of about £880,000 for data breaches, HOWEVER, under the new GDPR rules these would have amounted to £69million!
Please make sure you are confident that you understand the new regulations and are putting protocols in place to manage them before it's too late.
For further information you can visit the ICO website: https://ico.org.uk/