GDPR For dental practices

GDPR – Yes, more regulations to comply with

You may be aware that the general data protection regulation (GDPR) comes into force in May of this year, the regulation doesn’t give exact wording for what you should do in a dental practice but it does give definitions. I’m therefore recommending that if you use any form of dental online marketing that you ensure you meet the standards as they are interpreted.

CONSENT

Doing consent well should put individuals in control, build patient trust and engagement, and enhance your reputation

According to the information Commissioner’s Office, consent

“…must be freely given, specific, informed, and there must be an indication signifying agreement. However, the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action.”

It must also be unbundled, have an active opt in, have your organisation named, be documented and easy for the individual to withdraw from.

To comply with this, I suggest you add a consent box to every single signup form on your website.

GDPR consentAccompanying this should be a tick box which everyone will have to tick, this should then be stored in their record in your e-mail system as a record of consent. Should anyone question whether you consent to send e-mails you can check back in the register to prove that they have clicked this box.

I also recommend adding a double opt in.

Potentially someone could maliciously enter someone else’s e-mail address into one of your forms, to prevent this all individuals should be required to verify their e-mail address, when they complete any form on the website they should be sent a verification e-mail which they need to click on, if they do not click on this e-mail, for what ever reason then you cannot use their e-mail address for any e-mail marketing.

What happens about existing e-mail subscribers?

It seems that if someone is considered a ‘customer’ then you can legitimately send them e-mails, you can therefore continue to send patients e-mails IF they can be demonstrably proven to be customers.

People that have not been to the practice is more difficult.

If the e-mail program you use is considered a service and there has been ongoing recipient e-mail engagement (opens or clicks) then this may be sufficient to show an existing customer relationship, as a customer you can legitimately send e-mails so long as the e-mails are considered a unique service in themselves.

Remember, the e-mail program needs to be a valuable service in its own right.

The system I use for e-mail is Aweber, this system is able to filter subscribers that have not interacted with an e-mail after a given date. I would suggest that you filter non-active subscribers within six months and delete any subscriber that has not interacted with your e-mail system during this time.

This will then demonstrate that you have an active GDPR policy for historic e-mail contacts. Of course, all new contacts will have consent requested at the beginning.

IMPLEMENTATION

You have until May 25th 2018 to implement this so I recommend you pass this information on to the person that manages your e-mail marketing.

Resources for bedtime reading, should you so desire, please ensure you have read these documents in full before acting on any advice given above:

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

HAVE FUN 🙂

 

Have your say

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 6 =