From May 25, all companies, including aesthetic clinics, can be charged up to 20 million Euros or 4% of their annual global turnover if they are found to have breached General Data Protection Regulation (GDPR). Breaches include, but are not limited to, unlawful processing of data or failure to inform authorities of a data breach within the required time periods.1 And for clinics who store hundreds, if not thousands, of patients’ data, it is essential that you understand GDPR and do everything you can to ensure you are thoroughly compliant.
GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across the Europe Union (EU). Companies processing the personal data of people residing in the EU, regardless of where the company is based, fall under the regulation. It also applies to data subjects who may not be from the EU, but are residing there when their data is being processed.1 Andrew Salmon, CEO of data consultancy company TrueSwift, explains, “This means that if you’re treating a patient from outside of Europe, who happens to be residing in Europe at the time, their data should still be protected by you.”
What is personal data?
The definition of personal data has been expanded with the introduction of GDPR. Salmon explains, “Personal data is not just
a name, address, date of birth and nancial information; it includes physiological and biological information as well. So, this includes voice recordings, video recording, photographs of people, fingerprints and biometric information. Anything that directly or indirectly relates to you is classed as personal information.”
Under GDPR, personal data must be processed lawfully, transparently and for a specific purpose. Lawful could have several different meanings under GDPR. It could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is ‘essential for the life of’ the subject; if processing the data is in the public interest; or if doing so is in the data controller’s legitimate interest.2
Transparency
One of the key changes with GDPR is that businesses must ensure they are completely transparent with why they are collecting personal data, what it will be used for, how it’s going to be kept and processed, and the rights of the data subject to have it updated or deleted.1
For practitioners, patients’ data is likely to be obtained through different methods. These include ‘consent’, which could, for example, apply to the storing and use of before and after photographs for medical purposes and marketing. When obtaining consent, practitioners should ensure that they communicate this in a clear and distinguishable format, which is distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.1
For gathering names, addresses and phone numbers, Salmon explains this would be classed as ‘contract’ because, “They are signing up to a contract and they’re giving that personal information for you to cover a particular service.”3
In terms of marketing to patients, gaining consent to send them information on your latest news, products and treatments has become a lot more challenging. Patients now must ‘opt in’ to communication sent from you, rather than ‘opt out’.4 Salmon advises, “Every time you process your patients’ data, so send them an email for example, you need to be letting them know what their rights are under the regulations.” He suggests that one way to do this would be to include a privacy/GDPR notice on your website, which you link to within your email communication. “As long as it’s not buried away in lots of small print and hard to understand, that should be sufficient. It should be clear and transparent that you’ve got information on their rights available for them to read should they wish to do so,” he says, adding that it should also be reasonable to expect the subject is able to access and read the privacy policy.
Other elements likely to be relevant to aesthetic practitioners are ‘legitimate interest’ and ‘vital interest’. If you use someone’s data in a way that they would reasonably expect, and this has a minimal privacy impact, then this is ‘legitimate interest’.5 For example, you will need to store patients’ medical history to refer to if, in the rare event, that they present with a complication from the treatment you gave them a few months down the line, and this is likely to be expected by the patient. ‘Vital interest’ will also be relevant, as it involves the personal data that is necessary to protect someone’s life,6 for example if they have any allergies to ingredients in products that you treat them with.
Right to access
Under GDPR, data subjects have the right to request and receive all data held on them by any company, free of charge. Companies have 30 days to action the request and share the data in an electronic format.1 Salmon explains, “Subjects have the right to say they want all of their personal data that you have on them, and this does mean all of it. Whether it’s paper files, backups, archives, online systems, server file systems, databases – everything and everywhere there’s personal data.”
Companies then have to share evidence that proves they have completed a full search and presented everything they hold on that person. Salmon notes that one of the challenges that practitioners may face is that one person’s data may be stored in a spreadsheet that contains other patients’ personal information. In this circumstance, practitioners will have to redact all the other personal data on the document to avoid breaching other data subjects’ privacy rights.
Data erasure
Similarly to access, when someone asks for their data to be deleted, you have to action this within 30 days from the request. It’s important for practitioners to note, however, that you may have the right to retain certain data under other legal requirements, as GDPR does not override other legislation.7 For example, while there isn’t specific advice for aesthetic procedures, the Department of Health Records Management states that GP records should be retained for 10 years after death or after the patient has permanently left the country, unless the patient remains in the EU. It also says that electronic patient records must not be destroyed or deleted for the foreseeable future.8 If, however, it is not necessary for you to retain data – perhaps because a data subject has never been a patient and just opted in for marketing updates from you – then under Article 5 of the GDPR it should be deleted.9
GDPR state that businesses should only keep personal data for ‘as long as necessary’. According to Salmon, this is typically defined by the organisation itself and should be ‘reasonable’. He advises, “Whatever duration is actually chosen by the organisation should be documented, along with the reasoning behind the decision. Often this shows due diligence and demonstrates that policies have been de ned and thought through.”
Salmon says one of the most common questions he gets asked is, do data subjects have to justify why they’re requesting their data? The answer to this is no; however he adds, “Obviously, you’re going to want to understand why they want that data, because it may be a particular subject or time frame that they’re interested in, so that’s going to help speed up your searches to get that information in time,” noting that it will also help the patient receive the information they need rather than lots of unnecessary documents.
Data breaches
Data breaches can occur in many forms and can have a serious impact on a clinic and
its patients affected. For example, viruses transmitted through spam emails could gain access to your digital address book or hack into patient photographs. As such, it is now mandatory for businesses to notify the Information Commissioners’ Office (ICO) of a data breach within 72 hours of finding out it has occurred, where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’. Business owners must also notify customers ‘without undue delay’ as soon as they are aware of the data breach.1
Data protection officers
GDPR states that data protection officers (DPOs) must be appointed in the case of public authorities, organisations that engage in large scale systematic monitoring, or organisations that engage in large scale processing of sensitive personal data.1 There is no exact definition of what quantifies as ‘large’, so is open to interpretation by individual companies. Salmon advises, however, that as aesthetic clinics are likely to fall under Special Category data, which involves personal data that GDPR says is more sensitive as it is medical data, so needs more protection,10 appointing a DPO is recommended.
The DPO’s role is to be the point of contact for data access/erasure requests and managing your GDPR processes and procedures. Salmon says, “They should be
a responsible person reporting to senior management. They have to give independent advice on what should be done in order to be compliant, and ideally should have no conflict of interest.” He adds that the DPO should have a good understanding of data protection law and their responsibilities. They can have another role within the organisation, for example a clinic manager, which will be the general case for companies that are not dealing with frequent data access requests. However Salmon notes that the work of a DPO can be outsourced; clinics do not need to employ internally. “If you’re not expecting lots of subject access data requests, then you can probably outsource this work to a suitable company when needed. You can also hire them to do audit reviews for you every six months or so to ensure you’re still compliant,” he says.
Conclusion
Salmon’s parting advice for practitioners starting their GDPR journey is, “Documentation, documentation, documentation. Anything you do – any thought you have – document it.” Whether it’s an article you’ve read, a webinar you’ve joined or conference session you’ve attended, it will all support you should a claim be brought against you.” According to Salmon, if practitioners can prove that they’ve taken advice on GDPR beforehand and have attempted to understand the legislation, even if the outcome was wrong, it will help and may result in a reduced penalty or none at all. He concludes that it’s very much like learning maths at school, “If you put your workings in the margin, you might get points for the question even if the answer is wrong.”
Note: This article is not exhaustive of all GDPR requirements. For more information, practitioners are advised to visit the GDPR or ICO website, employ the services of a data protection advisor or conduct independent research to be confident in compliance.
Readers can visit aestheticsjournal.com/hub/GDPR for further reading on GDPR articles written by Aesthetics contributors.
