GDPR: can you still send reminders to existing patients?

by Admin, Communications, Compliance, Dental practice software, General Data Protection Regulation

When GDPR laws come into force on May 25 you’re going to need consent from patients for each separate communication channel like SMS, telephone, email, post. One blanket consent won’t be enough. So how will this affect your patients?

Existing patients

Your existing patients are not affected for dental treatments and check-up reminders but, and it’s an important but, you cannot simply email them to tell them about your new facial aesthetics department. You will have to obtain their permission first, which can be done easily when you email out your reminders. Remember, they have to opt in and give you explicit consent. Silence, pre-ticked boxes and inactivity cannot be taken as consent. If you are sharing their data with third parties like insurance companies then consent also needs to be sought for that.

New patients

All new patients will be invited/asked explicitly to opt in to being informed about reminders and being kept up to date on new treatments/promotions/anything over and above their treatments within the practice.

New patient enquirers (prospects)

When a new patient contacts the practice and fails to make an appointment you need to obtain their permission to contact them via SMS, email or printed communications if they are happy to be kept up to date with the practice developments. You cannot retain their data without this opted in permission.

We talked to Kelly Neill at Aerona, the cloud based dental software company, for her take.

Kelly, are practice owners and managers right to worry?

There’s been some scaremongering but it’s not as complicated as people think. Broadly speaking, if people have been complying there’s nothing to worry about, because these protections have already been around for many years. It’s just that every country had their own specific rules. From May 25 there will be a blanket approach across the EU.

What are the main changes?

The emphasis is on the data subject — the individual — who gets power over what happens with their data. They have the right to see it or have it deleted. That means it’s all about consent now. Any company using your private data needs consent for that purpose.

Is this a good thing?

I genuinely think the public don’t realise how much data they’re giving away. This legislation is there to protect us. For a number of years we’ve have rights as individuals, now we’re going to have more, so yes I do think it’s a good thing. It just means slightly more admin for businesses.

What do practices need to do to prepare?

GDPR is about how you handle private data. The biggest change is that when new patients join your practice, you will need to record their explicit consent if you want to send them marketing material. Don’t keep excessive information on patients, and if a patient has lapsed have their file marked as inactive. The onus is one you to keep your records up to date too, so you should be checking if any medical history details have changed each time you see them.

If you have a mailing list what do you need to do?

You can’t have pre-ticked boxes any more. That had already changed but wasn’t law. It’s law from May 25. This is great news because it means we will all receive less junk mail. Anyone on your list up to May 25 is already covered by data protection law, but for anyone who joins after May 25 you need to capture evidence of their consent. To be safe, check with your old patients if they’re OK with it, and record their response somehow.

What about appointing a data officer?

Every business is recommended to have a data protection officer (DPO), and there should be a process in place in case of a breach. For example if the receptionist thinks she’s made a breach, for example by leaving private data visible on her desk (I saw this happen just the other day), there has to be an agreed procedure. Depending on what level of breach it is you will have to inform certain people. With any breach you should inform the data commissioner. If the breach affects an individual they must be informed within 72 hours, as well as the relevant supervisory authority.

Are practices grumbling about this?

Yes, but you haven’t got a choice, so it’s easier to take a positive approach. It has to become second nature so your practice lives and breathes it. At first it might be annoying for patients who are asked about their medical details every time they come in, but remember it’s for a good reason. A better approach is to focus on how GDPR is protecting everybody, because we are all private individuals.

Can practices outsource this?

Yes and no. You can have an external DPO but they will still need to make changes to your internal processes. And it’s still ultimately your responsibility as a business owner. Really you need to be empowering all your staff, educating them and training them so they all feel equally responsible for it. A breach can happen anywhere, and if it’s not dealt with properly the business can be fined either 2% or 4% of global annual turnover depending upon the severity.

Tell us about your course

Our next webinar dates are 23rd March, 13th April and 11th May, 2-5pm. We can also deliver this course in-house/onsite. We are also offering this session free of charge if you sign up to a 12-month subscription with us. The cost is £195/€195 per practice. It covers:

  • Overview of GDPR
  • What is GDPR?
  • How is it changing?
  • What data does it concern?

GDPR comes into force on May 25 2018 and there are some main changes that dental practices need to be aware of such as consent and what you need it for, who the law affects and what data it concerns. However if you have been broadly compliant then these changes should make minimal impact upon your business. 

  • Relevance to your practice
  • Best practice
  • Managing compliance
  • Assigning roles within your practice
  • Identifying data
  • Enforcing compliance

What the changes mean for your practice and how to manage them. Our recommendations for best practice and business processes to keep you within the new GDPR laws. Who is responsible and what it means for those working within your practice. 

  • Putting into practice
  • How to become a leader in GDPR
  • Handling privacy breaches
  • How to manage data
  • Consent and transparency

How to make sure data you hold is protected and what happens if you suspect a breach. Ensure that you have the correct procedures in place and that you respond in time. Who you must inform and the penalties involved if there is a security breach.

Contact [email protected] or call 028 70002040.

Kelly Neill

“Silence, pre-ticked boxes and inactivity cannot be taken as consent”

Kelly Neill, Aerona
Author: Zac Fine