Since its inception, the General Data Protection Regulation (GDPR) has regularly been in the news and on the minds of dental practice owners affected by it. Understanding how this important piece of data privacy legislation impacts your busy office and how to remain compliant is crucial. This is especially true in the realm of digital marketing.
To help ensure your company is up to date and using GDPR best practices, Adit has put together this comprehensive guide. We cover what this requires and provide actionable tips to help you remain compliant.
The GDPR is a cybersecurity law that seeks to safeguard the sensitive data of those who reside in the European Union. These strict privacy rules when into effect in 2018 and updated the 1950 European Convention on Human Rights, so it was effective in our ever-changing digital era.
This was a necessary update to ensure that the boundaries between one's personal and public information were better recognized and respected. It achieves a heightened level of data security by regulating the collection, use, disclosure, and other processing of individuals' personally identifying information in the EU by those who control and/or handle their data.
Under GDPR privacy rules, it governs any data relating to an individual living in the EU that can directly or indirectly identify them. This about more than just addresses or banking information but also includes information about one's behavior patterns. It doesn't matter what form this data is presented either, and can have:
Even if these details are not factually accurate because they are linked to someone's identity, they all received GDPR protections.
To understand how GDPR can impact your dental office, let's break down how data gets used. Generally, personal data falls under two primary categories of use: those who process data and those who control it.
Data Controllers
Under the GDPR, controllers determine the processing and purpose of personal data. A single individual could fill this role in your office or corporate controller designated by your company.
Data Processors
The role of a data processor is defined as a single person, agency, public organization, or other entity that processes private information for the controller. Processors don't decide how your patients' personal data gets handled but follow the guidance they receive.
Example of a Data Controller and Data Processor Relationship
Typically, your dental office would be considered the controller because you will determine how you want your patients' sensitive data handled. On the other hand, companies like Adit would be viewed as a processor since we would use this information according to your instructions when creating email campaigns, for example.
It's important to note that processors would still have to be compliant with GDPR when handling private data belonging to your patients protected under this law despite your instructions. For example, if your practice provides whitening kits, specialty toothbrushes, or teledentistry in an online marketplace, and you offer these globally, your dental practice and processors must comply.
At Adit, one of our strongest service areas for dental practices in the United States and globally is digital marketing. Because successful marketing strategies require collection and analysis of data to yield the best results, it's vital to be aware of what aspects of your advertising are impacted by GDPR, including:
Below is a quick overview of each of these marketing aspects and how GDPR may affect them:
When visitors come to your dental practice website, cookies are used to track their preferences and interactions to help you better target your ads to their behavior. GDPR requires you to keep an updated Cookie Policy available on your site and get consent from visitors before storing and accessing any of this information.
When patients and prospects click through your Google Ads to your landing page and then fill out your provided contact form, they consent to communication with your company about the service or offer requested. For example, a free teeth whitening kit for subscribing their email address to your monthly oral health newsletter.
Typically, you would include an option they can opt-in or out of with a simple mouse click in a selection box for receiving additional communications from you regarding services and products. With the right dental practice management system, like that provided by Adit, a record of their consent is recorded and then made available if they should ever request this information.
Encryption of your website is another crucial step in ensuring compliance with GDPR. This is especially important when potential patients communicate with you through online forms like those on a Contact Us page.
One of the easiest ways to achieve property security against hackers trying to steal information from these transmissions is by having an SSL certification on your website. These are relatively inexpensive nowadays and will reassure your visitors that they can securely submit information through your website.
If you plan to send emails to your patients for appointment reminders, account billing, or any marketing campaigns, you must have consent from them before sending. Doing so will ensure your communications don't fall under CAN-SPAM laws that designate your dental practice email address as spam. Anything you send out will get filtered into patients' junk folders if this happens.
Further, it shields you from violating the GDPR law regarding spamming. One of the most straightforward methods of gaining consent to send emails to your patients involves using an opt-in clause in their medical file. You should use clear language that explains precisely what they are consenting to receive. Many dental practices use two different opt-ins, where one covers general patient communications regarding things like reminders, and the other opt-in covers marketing and promotional emails.
No matter what marketing uses you have planned for your patients' private data, GDPR and other similar laws like HIPAA require you to protect it.
Not sure if your dental practice meets the standards for data privacy protections set forth by the GDPR? Consider the following ten steps to reform your current processes and develop best practices:
One of the biggest challenges is understanding the data you collect from your patients and prospects. Get started by first determining the sources providing your dental office this information, which could include:
As you can see, there are many channels for personally-identifying information to be shared with your office, and the GDPR demands it be protected. This is why identifying sensitive data and the sources that generate it is crucial to compliance. Even IP addresses could fall under this umbrella of security requirements if linked to an individual. So, if your ad campaign not only collects their email address but tracks their IP, this too would require protection.
The GDPR requires controllers and processors to have a Data Protection Officer (DPO) to oversee a dental practice's data protection strategy if any of the following conditions apply:
What constitutes a large amount of data is unclear in the GDPR, so many dental organizations opt to have a DPO out of caution. Appoint someone in this role that can perform the following required duties:
To ensure your DPOs efforts are successful, your dental organization should also conduct regular monitoring to identify any vulnerabilities that could jeopardize the security of the data you collect.
Another important compliance best practice for GDPR is maintaining a data register that keeps a record of how your dental office handles the private data it uses. This is an extremely helpful diary that maps out your data flow in your company. Keeping detailed notes and records will prove your compliance should an audit or data breach happen. It can also help your team develop improved data security and show your dental office is dedicated to protecting patient data.
One vital step to consider in developing a secure data collection process is to assess what information is necessary. The GDPR expects dental practices only to collect required information and not accumulate this data without reasonable cause.
Further, any data you collect which is considered highly sensitive under this law must be carefully reviewed. Privacy Impact Assessments and Data Protection Impact Assessments are mandatory for some types of personal information, which could include:
Under GDPR, if your dental office experiences a data breach, you must immediately report it within 72 hours. This requirement is for both controllers and processors. To ensure that reporting occurs correctly, follow the below chain of command:
Processors should report incidents to their controllers. From there, controllers will report it to a supervising agency (Data Protection Association) which acts as a contact point with the GDPR authority.
In a digital age where personal data has become an invaluable commodity, your patients count on you to be transparent. Transparent about the information you collect and the reasons for doing so. GDPR prohibits the clandestine collection of their data, so to avoid financial penalties, make sure you have a clearly displayed acknowledgment wherever their information is stored.
Check out these common locations dental companies can display such notifications:
Cookies
Cookies are considered data collectors by the GDPR because they can identify users. To ensure your gathering of this information is done in an informed way, make sure to do the following:
Site Forms
Another area that should display notification of data collection is pages with submissions forms. For example, suppose you have a landing page offering free whitening strips in exchange for a visitor's contact information or a newsletter sign-up promotion asking for their email address. In that case, you should first be clear on what data is collected and how you will use it. Keep language straightforward and simple to understand.
Under the GDPR, only individuals at least 16 years old or older can have their personal data processed. If your dental office needs to gather personally-identifying information of minors under this threshold, you must obtain consent from their parent or legal guardian.
Additionally, if your site may engage those under 16, it must have an age verification process before collecting their data.
A great way to eliminate any doubt that an individual consented to receiving email communications and promotions from your dental office is using a double opt-in sign-up process. This essentially requires the user to agree when initially submitting their information and then follow up with an email confirmation that they will complete. It is not mandatory in GDPR guidance, but it's a wise step for compliance.
Privacy policies are not "one and done" elements of your website. GDPR for dental practices and any companies processing sensitive consumer data needs to always be up to date. These updates could be due to changes in the laws governing your company, a change in how you do business, and numerous other reasons. Whatever the reason, when making changes, makes sure your patients are notified through an email.
Any privacy policy you use should be clear on the type of data your business collects and how it gets used.
The GDPR and similar laws throughout the world expect organizations to be vigilant in their efforts to be aware of all data security risks that could endanger private consumer information. This also means having remediation strategies in place should a breach or hacking attempt be successful and exposing identifying details related to your dental patients.
At Adit, we understand that creating a secure data environment requires rigorous monitoring and testing. Having a world-class digital security team for smaller dental firms may seem a tall order. Still, by relying on a cloud-based practice management solution, we can help you achieve compliance.
You need state-of-the-art digital tools to help your dental company identify and address security vulnerabilities that could impact your compliance with GDPR requirements. Our dental practice management software will empower your team to gather invaluable insights from collected patient data while ensuring this sensitive information says secure and protected. No matter what sources you use, whether through a social media ad campaign or using a lead magnet to drive more traffic to your website, we will ensure your efforts are compliant and protect the data your patients entrust with you.
Find out more about how our cutting-edge digital tools can streamline your operations, build your brand, and boost revenue streams. Request a free demo today!
Angela is a former English teacher turned marketing content specialist. Over the past 10 years, she’s developed marketing strategies to forge enduring bonds between B2B, B2C and SaaS companies and their clients through holistic education, effective communication, and captivating storytelling that moves audiences to act.
Offer ends November 26, 2024, and is limited to prospective customers who sign an annual agreement before November 30, 2024. Gift card will be emailed to the company owner or established representative within 4 weeks of signing the annual agreement. Offer may not be combined with any other offers and is limited to one (1) gift card per office. Offer is not available to current customers or to prospective customers or individuals that have participated in a Adit demo during the prior six (6) months. Recipient is responsible for all taxes and fees associated with receipt and/or use of the gift card as well as reporting the receipt of the gift card as required under applicable federal and state laws. Adit is not responsible for and will not replace the gift card if it is lost or damaged, is not used within any applicable timeframe, or is misused by the recipient. Adit is not responsible for any injury or damage to persons or property which may be caused, directly or indirectly, in whole or in part, from the recipient’s participation in the promotion or receipt or use of the gift card. Recipient agrees to indemnify, defend and hold harmless Adit from and against any and all claims, expenses, and liabilities (including reasonable attorney’s fees) arising out of or relating to a recipient’s participation in the promotion and/or recipient’s acceptance, use or misuse of the gift card. This offer is sponsored by Adit Communications, Inc. and is in no way sponsored, endorsed or administered by, or associated with Amazon.
Cut your software bill by up to 60% when you merge everything your dental office needs to run under one roof.