GDPR – 18 Months

Photo - representing EE Limited

GDPR – 18 Months

Data Protection – Where are we now?

Well, the world didn’t end on the 25th May 2018 after all. This was the date that GDPR became ‘law’. Having been approved by the European Parliament in April 2014, the General Data Protection Regulation was rolled-out across Europe to bring a standardised approach to the management and use of personal data across Europe.

While it is no-longer a headline-hogging bogeyman, there is still confusion about GDPR. And while the regulators are taking an ‘advisory’ stance with most smaller businesses, they have come down hard on a few big organisations and large-scale transgressions. Even in it’s first ‘transition’ year, 206,326 cases have been reported, and €55.96m of fines were levied (according to online tech publication, The Register). These were spread across the 31 countries covered by the regulations.

Those figures may sound terrifying to those who don’t follow the subject closely, but €50m of those fines were levied against Google by France.

Read into the details and you’ll find that 65,000 breaches were reported by data controllers – part of the standard procedure in dealing with a data breach. Less than 45% of the total came from complaints.

In the UK, it is worth noting that a large percentage are about Subject Access Request handling – the process by which individuals can find out what information is held about them.

So what does this mean for dentistry?

It means that no-one in the dental industry should lose sleep of GDPR. But nor does it mean that we can all forget about it and pretend it doesn’t apply to us. IT DOES.

However, the UK Information Commissioner’s Office (our enforcement agency) places more emphasis in dealing with the massive data breaches by huge multinationals than it does on small businesses, such as the typical dental practice.

That said, the information practices hold about patients is highly personal and highly confidential. Therefore any breach wiould have a higher weighting [in their system of calculating penalties] that might otherwise be the case.

The obligation and consequence are still there.

Photo - EU Building
The EU voted GDPR into Law in April 2014
Photo - representing EE Limited
EE Limited was fined £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent.

So what should you do?

If you refer back to my post on the subject in April 2018 we walk you through all the steps you need to take. It’s all common sense and good practice that supports guidance from the NHS, CQC and GDC about how you should treat patients and information about them.

Essentially, GDPR is pretty straightforward for dentists. However, as the regulator deals with legacy issues and advises smaller organisations on how to comply, it will almost certainly become more strict in enforcement.

So now is the time to ensure your software and manual record keeping is up to scratch, that your use of data is well managed and documented, and that all your staff are trained in what the must, may and should not do with patient information.

Logo - Information Commissioners Office

Where else can I get help?

EU GDPR.ORG is a great source of information, but probably the most important source in the UK is the Information Commissioner’s Office (ICO).

And for those who like to feel smug about their GDPR compliant processes, the ICO publishes a webpage and Newsletter on the actions it’s recently taken.

Why Pearl?

We think Pearl provides the most complete support across the whole patient journey. And part of that support is to provide databases, workflows and procedures that help you comply with GDPR. If you have any questions about how Pearl supports compliance, please call us on 0116 275 9995.


Charlotte Taylor