GDPR
What you need to know
A living person
Collected, stored or used by the practice
That can be used to identify the individual
As well as applying to clients, it also includes employee data and even supplier records.
For compliance purposes, you will also need to register with the ICO if you hold data. While some practices do look after their own data compliance you may also wish to appoint a Data Protection Officer to lead the process or engage a consultant.
Specific training or consultancy from a specialist in data protection and compliance
Data analysis and inventory.
Identify any gaps around data handling, storage and usage
Staff briefing and training
Documentation – polices and procedures
Regular reviews in the light of changes to legislation
1. Register and pay a fee to the Information Commissioner’s Office (ICO). Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.
2. Start with this checklist "How well do you comply with data protection law: an assessment for small business owners and sole traders”
3. Data policies & proceduresYou should have policies and procedures around how you handle data and ensure its security, as well as the action you will take in the event of a breach of security. Carefully consider any scenario that might give rise to risk (eg data sharing with another practice) and develop policies to ensure GDPR is not breached.
4. Privacy noticeCreate a privacy notice which states how you will use the information you collect. You can create your own using the ICO checklist or ask your solicitor to draft a suitable statement. This can be displayed on your website and linked to from any email sign-ups.
5. Opt-inEnsure that clients opt-in for communications and be clear about what communications they are opting in for (eg email, post, SMS). Do not ask clients to opt out in the first instance and assume that they have opted in by default.
6. UnsubscribeThose who have opted in for communications must be able to opt out at any time. Fro example having an ‘unsubscribe’ button that takes the client out of marketing emails.
7. Mailing listsIf you're acquiring mailing lists to reach prospective clients, you should ensure that they are fully compliant with a specific opt-in within the last 6 months. They also need to be specific to your business.
8. CCTV CCTV has specific requirements, use this ICO checklist for reference
9. Employment contractsYou may wish to make special provisions around confidentiality, data sharing and data use within your contracts of employment.
10. Staff trainingEnsure staff are aware of the conditions required to handle data in a confidential and compliant manner.
11. Social mediaFull and informed consent should be given by the client before their pet’s images or details are shared on social media.
12. Written consentRemember a verbal agreement is only as good as the paper it is not written upon!
Including information on GDPR whenever anyone is dealing with client/patient data is a good idea, but it may only be relevant if individual records are to be analysed. However, if individual employee performance is to be compared, it’s important that the person’s identity is protected in reports shared outside of management.
This is a very complex area and as fines can be significant, it can be worth investing time and money in completing a full audit and associated policies for peace of mind.
Resources available from the Information Commissioner’s Office (ICO):Create your own privacy noticeCCTV checklistUK GDPR guidance and resources