General Data Protection Regulation (GDPR) compliance is important to us. But what is GDPR? In short, it is a legal framework which sets out guidelines for collecting, processing and storing any personal information about others obtained during the course of running your business. GDPR was brought into effect in May 2018 to protect the privacy and security of individuals personal and sensitive data.
It is a very broad subject in itself and certainly not one that we will attempt summarising here. For the purpose of this article, we are going to explore some key points around keeping data clean (by way of data management) for GDPR purposes.
As a professional practitioner there’s a high possibility any paper and digital records you create and use in your day to day practice will contain personal client data. For a start you have client consultation notes, invoices, diary appointments, handwritten notes, treatment plans, referrals … the list goes on and all of which most probably have some kind of personal identifiable information relating to your clients such as email address, tel no, health, sexual orientation, religion etc. and therefore GDPR will apply.
During times of change, many therapists will be considering different ways of working or even just taking the time to review the systems and processes they currently have in place. With GDPR in mind, here are a few of the measures you can put into place to help get you started:-
- Refresh or familiarise yourself with GDPR – take a look at some basic concepts from the information Commissioner’s Office (ICO)
- Audit the data you have – carry out a quick review of what data you hold and where you keep it
- Review the information you hold – data should only be collected for specified, explicit or legitimate purposes and only be processed in a manner compatible with those purposes
- Organise – when gathering information, some data will need to be kept for different periods of time so consider intended use, legal requirements and how easy or not it will be to keep any relevant information up to date etc. and whether any such data can be anonymised
- Storage – any relevant data gathered should be held for a legitimate period of time (no longer and no shorter) for the right purposes, in a safe and secure place … this doesn’t just mean plugging in the shredder and fueling it with data rich records!
- Implement a data protection policy to ensure and demonstrate compliance – ensure to outline the roles and responsibilities for anyone handling (processing) the data from collecting, storing, securing, updating and disposing of data
- Consider using a secure practice management system, designed and built with the function to help practitioners comply with GDPR
The Information Commissioner’s Office (ICO) has helpful tools and checklists to help improve your knowledge and understanding of data protection compliance which will help to underpin the information in this article.
If you would like more business advice to support you in running a private practice therapy business, Private Practice Hub is a leading business advice website packed full of free resources.