GDPR Q&As for Vets
Over the last few months as we have broadcast our ‘GDPR for Vets’ webinars completed our Data Flow Audits, written the Gap Analysis Reports, liaised with third party data handlers, briefed practice owners/staff and continued our own GDPR CPD, we have been asked many questions that are specifically relevant to minimising the risk of a veterinary practice not complying with the GDPR come 25th May 2018.
So, we thought we’d share the most common questions and offer the responses we made in return.
As with all the GDPR material on this website, these answers are our opinions as GDPR certified practitioners and are not given as or intended to be used or to be relied upon in any way as legal advice.
See what the ICO has to say
If you’d like to see the ICO’s Q&A’s for small businesses you can see them here or better still if you have a specific question you can call the ICO on their dedicated helpline for small businesses on 0303 123 1113.
If you’d like to hear more about our ‘3 routes to GDPR compliance for vets’ why not read up on the options we think veterinary practices have to actually become compliant.
In the meantime here are a few of the most popular questions I'm asked with my view of the answers. Do check back from time to time as I’ll update these each time I come across a theme developing. Please don't forget that these answers are just my opinion and are not given as nor should be relied upon as legal advice.
The right to be forgotten
Q. If the client of a veterinary practice asks that practice to delete their data and then, at a later date, raises a complaint against the practice (for instance with the RCVS) how will that practice be able to defend itself? The personal data the practice would have used to defend itself would have been destroyed at the client’s request.
A. In this example, if a client of the veterinary practice exercises their right to erasure (formerly known as the right to be forgotten) in respect of the personal information which the veterinary practice holds about him/her, then the practice is not required to delete all the client’s personal information.
The practice can retain the client’s personal information for certain specified purposes including the defence of legal claims.
Social media permissions
Q. We obtain verbal consent to use images and information of clients and their pets on social media. Is this sufficient?
A. I think it can be, as while obtaining written consent is preferable due to the nature of these types of post that's not always feasible. Consent can be given verbally but written consent offers some important advantages, not least that a consentee can forget that they've given verbal consent. Don't forget that you'll have to manage the processing of those consent forms in line with GDPR rules.
Opt-in #1 - read on, there will be more on 'Consent' ... Much, much more.
A. I'm assuming that this vet is referring to a situation where clients may have to 'Opt-in to receive emails from the practice'. This is one of the most commonly misunderstood elements of the GDPR and the answer, in this case, comes in three parts.
Part 1. 'I understand that owners have to opt-in with a tick box,'... Well, there are six legal bases on which you may rely to process a data subject's personal data. You need to understand the user case for each of the six in order to properly determine if 'Consent' (the basis normally associated with 'Opting in') is required in this instance.
For instance, whilst gaining a client's consent by asking them to tick a box in order to opt them in, in order that you can send them marketing messages, may be necessary for certain circumstances, it is not necessary for other important types of processing. Take the most common example of using clients' personal data in order to send them bills or appointment reminders. In this case, you are more likely to be relying on 'legitimate interest' as your legal basis for processing. So, no consent, opt-in or tick box is necessarily required.
Part 2. '... ,how does that work when they register over the phone to book an appointment...' So, consent (if you think you actually need it - which in order to just register a client and treat an animal you don't) can be verbally given, however, best practice would be to get written consent as soon as possible... IF you know you need it.
Insurance against losses relating to data protection.
Q. Can you insure against the risks raised by the new GDPR?
A. Yes, you can. For cover from being hacked through to covering broader losses incurred as a result of a Data Breach you should seek 'Cyber Cover' or 'Cyber Insurance'. A quick Google search will reveal a number of providers if your current broker doesn't offer such cover. Any reputable provider of advice on how to manage compliance (like Connected Vet) will have professional indemnity cover, but this doesn't cover your practice for the losses it may suffer should you suffer a breach.
More Q&As will be posted as we move towards the May deadline. In the meantime we strongly urge practices to take the free GDPR for Vets Overview module on the Connected Vet Academy. This will tell you what veterinary practices need to do to become GDPR compliant as well as offering information that will help you make a decision about which of the three routes you intend to take. Then either...
2. Download the 'Data protection tick-list for vets' to kick off your un-assisted route.
3. Purchase our full Self-Serve online course now at a 'beta release' price of just £400.
4. If you're a SPVS or VetShare member Reserve our 20% offer for your practice now and get both the E-learning course and the Data Protection Documentation Pack for just £760.