General data protection regulation (GDPR) is a new law, enforceable within the UK from 25 May 2018, intended to unify and strengthen protection of data for people within the European Union. GDPR hands back the control of personal data to the citizens.
The scope of GDPR extends far beyond Europe. The GDPR relates to all business or organisations that handle data which includes personal data of the EU residents. Handling data includes storing, processing, and transmitting data.
Under GDPR, health care seekers have:
- the right to access their personal data
- the right to be forgotten once they cease to be patients or withdraw consent
- the right to be informed
- the right to restricting data processing
Tips to ensure your medical website is GDPR compliant
Do not store contact and referral form data on the website
When a website visitor submits a message using a contact or referral form, the data they have submitted should not be stored on the website. The data should auto-email to your relevant email address. This is a sensible and GDPR compliant strategy. It helps avoid vulnerability caused by data leaks and reduces the volume of data that requires storing, backing up, securing and making compliant. If the website was ever hacked, the hacker would not be able to access or retrieve any personal data.
Obtain explicit consent on contact and referral forms
To attain compliance, it will be a requirement for website forms to ensure the visitor is aware of what their data will be used for. This could be achieved by use of a small pop up messages at relevant points while filing the form. successful applicants will then have to clearly consent to use of this data before submission. A simple checkbox and a message along the lines of ” I consent to this data being used for the above purposes.” This should be a required field so that the data is not submitted without this clear consent.
Have a clear privacy policy
Create a page that outlines your privacy policy. This page should ideally be linked to the footer so that it is easily accessible at any point on the website. Attach a link to the privacy policy when asking for consent.
The Information Commissioner’s Office (ICO) has a concise, transparent, and easily accessible sample privacy notice that you can use on your website.
Provide an easy way for users to request for their held data, withdraw consent and have data deleted from the records
An easy way to include all these options is to include a form in the Privacy policy page allowing visitors to request either to see or remove data that you may be holding. The form will have to ask for the visitor’s email address to make it compliant. Run a manual check on this email address against existing data you hold. Reply if necessary. It may be worthwhile creating a new email address, such as dataprotection@… specifically for these requests.
Hire a data protection officer
A data protection officer is a person chosen by the data controller whose duty is to monitor internal compliance of GDPR for healthcare providers. The officer could be a trained employee of the institution or the position could be outsourced.
SSL certification
Finally, while HTTPS encryption relays a lot of truths, it is not a requirement that falls under the remit of the GDPR. That being said, any patient information submitted through contact forms is classed as ‘sensitive personally identifiable information’ and should be in place to ensure the website is not in breach of the EU Data Protection Act.
Consequences of non-compliance with GDPR
The infringement of GDPR articles 5,6,7 and 9 carries a fine of up to 20 million pounds or 4% of the total global revenue of the previous year. The greater of the two is what is charged as the penalty fine. Noncompliance with articles 8,11,25 to 39,42 and 43 carries a fine of up to 10 million pounds or 2% of the total global revenue of the previous year. Again, the greater of the two is what is charged as the penalty fine.
The GDPR law is on the brink of being affected and the time to be GDPR compliant is now. GDPR compliance is easy and has been set up for a worthwhile cause.
