The introduction of GDPR has had a significant impact on data protection and how it is managed across all businesses within the UK. But what does it mean and is there more to it than just opting in or out? We take a look at what it means in terms of data protection for therapists.
GDPR or the General Data Protection Regulation is an EU regulation was introduced in May 2018 to replace the existing Data Protection Act. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person and was put in place to ensure that personal data is collected, processed and stored appropriately.
The GDPR applies to processing carried out by organisations operating within the EU or supplying services or goods within the EU. Those collecting data now have a greater responsibility to manage this information securely and fairly.
The GDPR sets out the key responsibilities that anyone holding personal data for individuals must adhere to and ensure that personal data is:
1. Processed lawfully and fairly and in a transparent manner – So when you collect data from a client, you must do so by asking them to complete a form for example and be clear with them that you will be storing their details.
2. Collected for specific and legitimate purposes – You have a responsibility as a therapist, to be clear how a client’s data will be used, ensuring that the purpose is genuine.
3. Limited to what is necessary for the purpose specified – so you can’t tell a client that you are collecting their data to let them know if their appointment time changes and then bombard them with newsletters and special offers.
4. Only held for as long as is necessary for the purpose – If you have told a client that their data is to be held in relation to a specific treatment that you provide and they have agreed to this, you can’t continue to hold their data if you stop offering that treatment.
5. Processed in a manner that ensures security is maintained, preventing loss of data – when you hold someone’s personal data you must take all precautions to ensure that their data cannot be stolen. So, for example if client’s data is stored on your laptop, you must ensure that your laptop has a password to be able to access it and that it is stored securely.
– Ensure that on the form that you use to collect client’s data or in contracts (if this applies), you are clear about why their data is being collected and stored and give clients a clear choice to opt in/opt out.
– You must also make it easy for clients to remove their personal data at any time, so you should have a standard statement on all correspondence with clients indicating that if they want to stop receiving information from you they can opt out. The process of opting out should be very clear and straightforward.
– Have a procedure in place for collecting, storing, managing and destroying any personal data to demonstrate that you are following the correct process.
There were penalties in place with the previous Data Protection Act if you did not comply. With the new regulation there are still penalties in place, but these are now higher.
So, although it seems like a complex area, GDPR simply provides more protection for individuals and their personal data. It is important to take the regulation seriously and ensure that you have the correct processes in place as penalties can be high if you are found not to be complying.