GDPR and what it means for Veterinary Practices

GDPR is coming and most veterinary practices do not appear to be aware of their impending responsibilities, let alone be ready for the new rules that will be enforced from 25th May 2018.

GDPR stands for the General Data Protection Regulations and they are a piece of European legislation that…

  1. Will be wholly adopted by the UK, regardless of Brexit
  2. Is essentially an evolution of our current Data Protection Act (DPA) – but with teeth (there are fines for non-compliance and an enforcement regime is being put in place as we speak)
  3. Will practically impact every veterinary practice

To help practices properly understand not just what they need to do but how they will actually achieve a greater degree of compliance, we've created two helpful resources.  

The first is a free webinar that explains the basics of GDPR for vets.  It explains what your practice will have to do. 

Watch our free webinar on GDPR for vets

The second is an article that outlines the three options every veterinary practice has to move their business towards becoming more compliant.  It explains how you could become more compliant

Read our '3 routes towards GDPR compliance for vets' article

Alternatively, read on and in the next few paragraphs I'll explain the basics...

What is GDPR trying to achieve?

GDPR is essentially seeking to protect personal information from misuse and abuse, so despite the administrative burden for businesses at a personal level it’s a good thing.  GDPR’s fundamental premise is to protect that most valuable of assets (in an increasingly digital world) our private data.

So, if you’re a vet that runs a payroll – you’re in.

If you have a security camera somewhere in your business – you’re in.

If you offer employees work mobiles, or if you hold employee or supplier contact details on your mobile phone (or on your PC for that matter) – you’re in.

And, if you send, or one day would like to send, marketing emails to clients or prospective clients, then you’ll need to be in.

In short, if you’re a vet, you’re in and you need to do something about it now.  Even if that’s only contacting us or attending on of our free GDPR for Vets webinars across September and October. 

What data is within scope of GDPR?

Articles 1&2 of the regulations define ‘in-scope’ data as any information of a living individual that can used to identify them and that’s processed by you – that is to say collected, stored or used in any way.

The data categories that are held by most practices and that would fall under GDPR include;

  1. Client contact details and certain categories of patient clinical data
  2. Employee & HR records
  3. Supplier records

What do practices need to do to be GDPR compliant?

That’s actually a pretty big question and practically the answer will be different for every practice. There will be similarities for certain classes of practice that will make compliance more straightforward. But in broad terms the ‘To Do’s’ on every vets’ action plan for compliance will gather under three general headings. You’ll need to…

  1. Be informed & accountable
  2. Be secure and compliant
  3. Obtain consent and protect rights
  1. In more detail, ‘to be informed and accountable’ means that the correct staff within the practice need to understand their responsibilities and rights under GDPR and this will involve appropriate training.
    1. Owners, Partners and or Board members will probably need training and ongoing CPD to understand their responsibilities.
    2. At a certain level, some practices will need to hire or appoint Data Protection Officers. These people at a minimum will probably have been on more detailed training courses to gain some level of accreditation. In reality many of those that need a DPO will hire them in – as you would a H&S consultant.
    3. Selected practice staff will need more limited and focused training to make them aware of how GDPR affects their roles and how what they do impacts the broader business. This training could conceivably be delivered via e-learning.
  2. To be secure and compliant
    1. Every practice, no matter what its size, will probably need to undertake a data mapping exercise (DME) that will act as a kind of data datum from which all other practical actions will flow.
    2. Following the DME any data processing that could put personal data at risk – for instance passing data to other practices, will probably need to undergo a Data Protection Impact Assessment (DPIA).
    3. Recommendations that result from the DPIAs will then need to be implemented
  3. And to obtain consent & protect rights
    1. Once a practice’s data processes are compliant and if the practice wants to market to their clients via email or by post then that organisation will need obtain their data subjects’ consent.
    2. Even the sending of vaccine reminder statements comes under GDPR as the processing of various data categories for certain things is dealt with under six principals and on six different legal bases by GDPR. Every practice will also need to take account of specific personal rights that GDPR offers data subjects and that confer a legal obligation on the business. If you’ve not yet been the subject of a Subject Access Request, the chances are that in the period following May 2018 you will.
    3. One big change for most of Connected Vet’s clients will come around consensual data processing as the processing of personal data for marketing purposes is definitely subject to GDPR and will definitely require both practice and agency to make practical changes to remain compliant. However as I’ve indicated above GDPR will cover so much more than that.

What practical actions can vets take to move towards compliance?

After completing a GDPR practitioners course and taking part in numerous data flow audits for veterinary practices, i'm now in a position to say that I believe there are three routes a practice can practically take to move towards compliance.  

1. The Un-assisted route where you do the whole process yourself.

2. The Supported route, where you get a consultant in to help.

3. A Self-serve route, where you get get help to complete the process yourself.  This is the route that the SPVS are recommending and that i believe most practices will ultimately take. 

You can get more detail on all of these routes if you read my blog on 'The 3 routes towards GDPR compliance for vets'.

Read my '3 routes' blog

In the meantime, if you have any questions you might want to drop me a line or check out my developing blog post 'GDPR Q&As for vets' that answers some of the main questions vets ask us about GDPR. 

Andrew Rastall