Untying the red tape

The EU’s General Data Protection Regulation (GDPR) can be confusing. There is conflicting information and numerous myths circulating on the internet and it can be time-consuming to determine what you need to do to be compliant for your practice or clinic. Jane Braithwaite and Karen Heaton give useful guidance.

Some misinformation on the data protection regulations can be damaging to a business. Bad advice can mean taking a non-compliant path, create unnecessary work or produce resource-intensive processes.

For independent practitioners, there is a greater emphasis on meeting the data protection standards due to the sensitive medical and child data that is held about your patients, obviously quite necessarily.

However, guidance from the Information Commissioner’s Office (ICO) is clear. Your processes and procedures need to be reasonable and appropriate to the data you process and the actions you take with it. So, we need to keep things in perspective and consider the appropriate compliance steps for your practice.

Your responsibilities

As a private practice, you decide what systems are implemented to store and manage the data you collect and process so you can provide medical services to your patients.

From a GDPR perspective, you are a data controller. The regulator expects you to understand what personal data you are collecting and how you are handling it. Your systems, your data, your responsibility. 

The top five priorities you need to have addressed for your practice are: