GDPR A Simple Overview
Have you started looking at GDPR for your health and wellness business? Just in case you aren’t familiar with the term GDPR (where have you been hiding?) it stands for General Data Protection Regulation which comes into place on 25th May 2018. If you’re not based in the UK or Europe and you have clients that are, you still need to take notice.
Even if you’re outside of these areas, consider this an opportunity to streamline what you do. You could save yourself time as well as improving your data systems and security. As a business owner, you have a responsibility to look after the data in your possession.
This series of articles are not a replacement for legal advice (little disclaimer, I’m not a solicitor). I hope it will provide you with the comfort that GDPR doesn’t have to be the big scary monster some are portraying it as.
GDPR is a regulation which means it’s a legal requirement and the Data Protection Bill will be taking over from the Data Protection Act of 1998 when it comes into effect.
There are still a lot of grey areas with the regulations and the word ‘appropriate’ is used a lot. We won’t have all the answers to all our questions until the regulations are in place, so we just need to do our best and get started.
Benefits of GDPR
As an individual we have a right to know what companies do with our data and have a choice over what information is held and by who. It will also lessen the spam you receive to your inbox.
As a business, robust processes will lessen the risk of you losing data and being compliant means you are protecting yourself.
Types of Data Covered
Data is both electronic or paper records and there are two types of data identified.
Anything that can identify an individual either directly or indirectly is classed as personal data. It includes: name, address, notes, identification numbers, invoices, email address, IP address etc.
Sensitive Personal Data
Special categories of personal data and the sort of information you are likely to hold on your clients. It includes any genetic or biometric data that where processed will uniquely identify an individual. Examples of this include health, genetics, race, religion, sexuality, politics etc.
Responsibility and Roles
There are two groups of people who are responsible for and interact with the data. As a small business, most complementary practitioners will do both roles. This will change when you employ staff or outsource certain tasks to a virtual assistant (VA).
This is the person who makes the decisions about what happens to the data, e.g. if you want to send out a newsletter to your clients, you decide to use data (name and email address) to contact them.
The Processor is the person who actually processes the data on behalf of the controller, e.g. a VA who sends your newsletter out is processing the data for you.
There are six principles that outline how data should be treated. This is a link to Article 5 of the GDPR for full details. My simple take on these principles are:
Look after personal data you hold in line with these principles and any other laws that apply, ensuring you do it in a fair and transparent way that is clear to the individual(s) involved.
Communicate exactly what you are using the collected data for and use it for that reason only.
Only collect the data you need for the purpose and nothing more.
Be careful to collect accurate data and if there are any mistakes, correct them quickly.
Only keep the data while you need it and safely delete it when you don’t.
Be responsible in the way you hold data and take measures to keep it safe.
The next article looks at where to start with GDPR. If you currently operate within the Data Protection Guidelines, the transition should be an easy one.
Full details of GDPR can be found here on the ICO website.
Just to be clear, this information is my interpretation from my research into GDPR and does not represent legal advice. Please consult a qualified solicitor for legal advice specific to your situation.