From 25th May 2018, the EU General Data Protection Regulation (GDPR) will finally come into force, replacing the outdated European Union Directive on data protection that has been in place since 1995. This was a pre-internet era and existing laws do not address the many ways in which data is stored, collected and transferred today. GDPR is seen as key to reducing the growing incidence of cyber breaches. 46% of UK businesses were reported to have experienced a breach or cyberattack in 2016 and that figure is on the rise. How will the GDPR impact aesthetic practitioners? Are you ready for 25th May 2018?
Will the GDPR impact aesthetic practitioners?
The first question to consider for those in the industry is, will the GDPR impact aesthetic practitioners? This is a straightforward one as every UK organisation that handles personal data will need to comply with the GDPR, regardless of the Brexit process. Theresa May has made it clear that EU law will translate into our own domestic regulations once we leave the EU. So, the need to comply is not going to go away. Due to the sensitive nature of personal data that aesthetic practitioners hold, it is important that you have an understanding of how these changes will impact your business.
There has been much scaremongering around the threat of fines for failure to comply, and it is true that the most serious infringements can incur fines of up to €20 million, or 4% of an organisation’s global annual turnover, whichever is greater. However, the new laws are about putting the consumer first and as a responsible aesthetic practitioner, having measures in place shows your customers that you are taking their data protection seriously. Worryingly, with the May 25th implementation fast approaching, only 3% of businesses are prepared for the deadline.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act, so the Information Commissioner’s Office (ICO) states that if organisations are complying properly with the existing law then current approaches to compliance may be used as a starting point to compliance under GDPR. However, there are new elements and significant enhancements, so organisations will be required to introduce new processes and procedures. The ICO has issued a checklist of twelve steps that organisations should take to ensure they are ready to comply with the new GDPR in May 2018, which can be found via the following link.
What are the main principles of the GDPR?
The principles set out in Article 5 of the GDPR can be summarised as follows:
a) All data that you process should be done so in a way that is legal, for example the data is not shared with third parties
b) All data that you collect must be for a specific purpose
c) All data that you collect needs to be relevant and limited to the purpose that you require it for.
d) The data needs to be as accurate as possible and if changes occur it should be updated.
e) All data that you keep needs to be in a format that makes it easy for you to locate and should not be held for longer than required
f) The data must be stored securely whether it be in hard copy or electronic format. It should not be accessible to unauthorised people and should be stored in such a way that it cannot be accidentally lost, destroyed or damaged. For hard copies of patient files these should be locked away in a filing system and for electronic data you should ensure that you encrypt data and have a backup in place in the event something happens to your system.
For a more detailed overview of the themes of the GDPR aimed at those who have day-to-day responsibility for data protection, the ICO has put together a comprehensive document which you can access here.
How will the GDPR impact aesthetic practitioners?
Having established that the GDPR will affect anyone who deals with personal data, the next question is, ‘how will the GDPR impact aesthetic practitioners?’. Some of the changes that will come in on 25th May are of particular relevance for aesthetic practitioners. The following areas show in more detail how will the GDPR impact aesthetic practitioners:
Increased responsibilities for both ‘controllers’ and ‘processors’ of data:
There are two key groups dealing with data that the law will apply to. Firstly, the ‘controllers’ who are responsible for determining the purpose and means of processing personal data. Secondly, the ‘processors’ who are responsible for the processing of personal data on behalf of a controller. Depending on which responsibility you hold there are different requirements within the new law that you need to be aware of. There will be increased administrative requirements and obligations for data processors, including the ability to be able to provide a full audit trail for data held. The GDPR also places further obligations on controllers to ensure their contracts with processors comply with the GDPR.
Increased requirements for consent of personal data:
Under the new regulations there will be increased requirements for consent of personal data. Under current regulations, data subjects are already required to express their permission for the business to hold their data, but from May 25th, consent from the patient will need to be more detailed and include explicit consent for its exact use. This consent must also be easily withdrawable.
Changing definitions of personal data:
Definitions of what is considered to be ‘personal data’ will be more specific under the new regulations. There are two types of data that the law will apply to: ‘personal data’ refers to any information relating to an identifiable person who can be directly or indirectly identified from the information held on them. Examples of identifiable data are names, identification numbers, location data or online identification, reflecting changes in technology and the way organisations collect information about people. ‘Sensitive’ personal data will be deemed as ‘special categories of personal data’ under the GDPR and includes data relating to racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, data concerning health, sex life or sexual orientation.
Within aesthetics much of the information held by practitioners is sensitive personal data and extra safeguards will apply to its processing.
There are many tools available on the internet to assist with risk assessments and reviewing your existing procedures. Most companies will have existing policies in place which need updating. For more information, please feel free to contact Hamilton Fraser Cosmetic Insurance to assist with your individual business requirements.
Do you need cyber liability insurance?
When considering the question ‘how will the GDPR impact aesthetic practitioners?’ it is important to think about cyber liability insurance as part of your risk mitigation strategy. As a cosmetic practitioner you should not underestimate the interest online criminals might have in your business or the chaos a cyber incident could cause. Cyber liability insurance will offer protection in the event of any loss, illegal threat or interruption as a result of a cyber-attack. Comprehensive insurance cover will also offer practical support in the event of a data breach, from legal advice to notifying customers or regulators. For more information contact Hamilton Fraser’s Cosmetic Insurance team on 0800 63 43 881.