Evolution not revolution

James Goldman, the BDA's Associate Director of Advisory Services

The GDPR is a complex piece of European legislation, almost 100 pages long. It was designed to add transparency and control to the principles of data security and data protection already enshrined in UK law.

Credit: ©ChrisSteer/iStock/Getty Images Plus

But its birth was not easy. The new UK Data Protection Act, which should be read side by side with GDPR, only came into force on 25 May 2018 and was a further 400 pages long. With so much guidance still emerging from the Office of the Information Commissioner (ICO) and other official channels in the weeks leading up to 25 May, it was difficult to be prepared.

Yet, through it all, if you listened carefully, was the clear, calm voice of Elizabeth Denham, the Information Commissioner herself. She was saying that the ICO was looking to help businesses. Through discussions with David Evans, the Data Sharing and Privacy Projects Lead at NHS England and the ICO, we were able to put together a package of sensible advice that allowed our members to comply with GDPR in a measured, sensible fashion. We worked hard to ensure our members had what they needed to comply.

Nevertheless, May 2018 was not calm. It was not quiet. Concerns about GDPR were a constant refrain. Many practice managers were worried about being the named data protection officer – a requirement of GDPR - and becoming liable for any breach. It was difficult for them to distinguish genuine advice from a sales pitch from a GDPR consultant and there were a lot of “experts” suggesting that practices should do more than was necessary.

An example of such ‘misinformation’ was shared with us recently by a member. A patient of the practice was a data protection officer for another company and they raised concerns about the BDA's medical history form. This asks patients to provide next of kin details without specifying that the next of kin should consent to their data being held. However, the ICO confirmed that practices do not need the next of kin consent as long as they only keep and use that information should there be an emergency. This illustrates not only that some so-called experts are being over-enthusiastic in their interpretation of GDPR, but also that the ICO is a reasonable regulator.

Common queries we received on May were:

  • how to give privacy notices

  • can we still send recalls and reminders (you can)

  • who can be a data protection officer

  • when do you need data processing agreements.

From the calls we took and from what we have seen, we believe the profession coped very well. Once we were able to help members understand the difference between the scare stories and the reality, they and their teams simply got on with implementing yet another layer of compliance.

GDPR is not so much a seismic change in data protection law as an evolution and it should not be a substantial administration burden. It should simply reinforce that patients should know what information you hold, why you hold it and have some say in how it's used.

Training the team to oversee opt-in/opt-out

Trudie Dawson is practice manager for Ernevale House Dentistry

The GDPR was not a problem for our practice. We are fully private and had an extensive information policy in place prior to May 25th.

I extended our Information Governance (IG) folder with an extensive computer audit incorporating staff access and their security levels. As patients now have to ‘opt’ in with regards to the extent of contact from the practice, all staff have been trained in the new legislation.

As all of the team spend time working in reception, everyone has received the same training. Each patient is asked if they want the practice to contact them and this is marked in the appropriate section of the software. I can in future audit that this continues to be done. If they opt for additional contact to include offers or newsletter then we print out a form for the patients to sign which states that they have given us permission to contact them. This is than scanned into the patient's electronic file. This can also be evidenced via audit.

With regards to patients having the right to ‘not exist’ in your data, I have created a policy which explains to patients that we can mark them on the system as ‘non attending’ and they will no longer receive any contact from the practice. Once the legal time frame for storage of medical information has passed, we are then able to remove them from the system.

Newsletter opt-in becomes good practise

Julie Kommers is receptionist for the London Lingual Orthodontic Clinic

Earlier this year we had two mailing lists incorporating around 1300 names. These were the email addresses of patients and referrers on our database. We had early notice of GDPR and decided to act promptly. We sent out a newsletter to our two lists, patients and referrers, inviting everyone to opt in to the newsletter. This was repeated in early May. We now have around 150 people who have opted in. This was a dramatic decrease but on the plus side, those who are now subscribers are very engaged with the newsletters. Feedback from Mailchimp shows a high percentage clicking our links which is very rewarding. We have also updated our medical history form, which now explains what personal data we hold and why. When we have new patients, they get to choose whether they want to receive the newsletter and once again, a good percentage opt in. As a result of GDPR, patients are reassured that we take their privacy seriously. I would say that although it caused some additional extra work earlier in the year, the net result is positive for the practice and our patients.

The practice manager's privacy panic!

Lisa Bainham is practice manager at The Old Surgery Dental Practice in Crewe as well as President of ADAM

Over the last year we have witnessed the whole of the dental profession (and the world outside of dentistry) in some kind of blind panic over GDPR and the changes that came into force on 25th May 2018.

There was a huge amount of confusion and uncertainty over what practice managers within our dental practices were supposed to do. Various publications and guidance were released based on predicted requirements to allow preparations to start but still, on the whole it was unclear and caused a fair amount of stress.

ADAM (Association of Dental Administrators and Managers) wanted to support and reassure our members through the process. We provided practical and legal advice from reputable partners avoiding individual opinions or companies looking to potentially “cash in” on the upcoming changes. ADAM worked closely with CODE iComply to support our members and they provided them with simple key steps to take.

We took legal advice on what the challenges are, potential fines, and the importance of recognising how the changes not only affect our patients, but our wider team.

The message we sent to our members was to stay calm, review your policies, plan ahead and stay up to date as the guidelines change. This is exactly what we expect ADAM members to do in other areas of compliance.

So….where are we now?

Well, my inbox is still absolutely full of a million spam emails everyday! The CQC, as far as we know, has not started inspecting practices on GDPR compliance yet and the world has not ended. We can still market our practices, contact our patients and grow our businesses.

Key GDPR points

  • Be open about the information you hold and how you use it.

  • Ensure you have a privacy notice in place

  • Give patients control of how their data is used by inviting them to consent to newsletters or other mailings

  • Inform patients how you are going to use their photographs – they must give their written consent if this is for promotional purposes

  • If your patient leaves the practice, remove their details from the database once the time limit for holding patient records has passed.