GDPR For Private Physiotherapy Practice
This week’s CPD training at Sports Physio UK was focused on integrating the team into our GDPR compliance process.
The new GDPR legislation introduced in 2016, becomes legally enforceable on 25th May 2018. The Data Protection Bill is still going through parliament, but this will bring GDPR into effect in the UK alongside some additional UK specific legislation.
Any business or organisation processing personal data are required to comply with the GDPR legislation, and with only a month until they can face legal action from customers for being non-compliant, many businesses have neglected their responsibility to implement the changes.
The GDPR is new data protection legislation which is more applicable to today’s society – replacing previous legislation dating back to the pre-internet era of the 90’s.
Governance & Accountability
Some of the biggest changes are in the “Governance & Accountability” aspect, which in summary, requires businesses to document all their data processing, their legal basis for collection, retention and storage, and how they comply with the GDPR. ‘Special Category Data’ such as health records collected by private practitioners and clinics is subject to additional protection. Any data which could be a high risk to an individuals interests in the event of a breech, requires an additional Data Protection Impact Assessment.
What we find many private therapists are unaware of, is their own personal responsibilities under GDPR. Not only can they become personally liable as a data processor at an organisation i.e. if they are aware of a breech and do not report it), but they are also Data Controllers if they do their own self-employed work too. This means they must also put all the GDPR documentation in place for their own ‘business’.
One situation which concerns therapists, is when we remind them that not only could there be legal ramifications for not being GDPR compliant, but they potentially face being struck off the HCPC register should an individual report them for non-compliance and mis-using their data.
If you are, then it is probably because you are a business owner who hasn’t implemented their GDPR changes. With the PPI insurance industry coming to an end, GDPR is foreseen as being the next legal push by hungry legal firms looking to seek compensation for customers.
To put GDPR into context, here is a taster of a few potential issues businesses could encouter:
Can you produce this immediately for them?
Hi, I told one of your staff 6 weeks ago that I wanted my data erasing but this hasn’t been done and the 1 month period to do this has expired.
Customers can request data rectification and erasure verbally – this doesn’t have to be in writing. Do your staff know how to handle these requests – you should have trained them in your procedures. As a data controller, you should have responded to this erasure request within 1 month.
Hi, you have me on your mail list, but claim your legal basis for continuing to email me beyond the 25th May 2018 is that I have a ‘legitimate interest’ in your business.
If your legal basis is a legitimate interest, you must have completed a legitimate interests assessment (LIA) as the time you completed your data audit.
These are just a taster to put GDPR into context for you.
Struggling with GDPR?
Here at Sports Physio UK, we are the UK’s leading physiotherapy franchise. We are family run, and see our team of therapists and clinic owners as an extension of our family. We are all committed to helping one another, and the GDPR is one of the areas we support our therapists and franchisee’s through.
By joining Sports Physio UK as a franchisee, we provide the business infrastructure and policies, allowing you to focus on growing your client base and practice. Click here to find out more about the benefits of joining Sports Physio UK