Ultimate Guide to GDPR for Dental Practices

Since its inception, the General Data Protection Regulation (GDPR) has regularly been in the news and on the minds of dental practice owners affected by it. Understanding how this important piece of data privacy legislation impacts your busy office and how to remain compliant is crucial. This is especially true in the realm of digital marketing.

To help ensure your company is up to date and using GDPR best practices, Adit has put together this comprehensive guide. We cover what this requires and provide actionable tips to help you remain compliant.

What is GDPR?

The GDPR is a cybersecurity law that seeks to safeguard the sensitive data of those who reside in the European Union. These strict privacy rules when into effect in 2018 and updated the 1950 European Convention on Human Rights, so it was effective in our ever-changing digital era.

This was a necessary update to ensure that the boundaries between one's personal and public information were better recognized and respected. It achieves a heightened level of data security by regulating the collection, use, disclosure, and other processing of individuals' personally identifying information in the EU by those who control and/or handle their data.

What Types of Data Fall Under the GDPR?

Under GDPR privacy rules, it governs any data relating to an individual living in the EU that can directly or indirectly identify them. This about more than just addresses or banking information but also includes information about one's behavior patterns. It doesn't matter what form this data is presented either, and can have:

• Video
• Images
• Words
• Audio
• Numerals

Even if these details are not factually accurate because they are linked to someone's identity, they all received GDPR protections.

How GDPR Affects Dental Practices

To understand how GDPR can impact your dental office, let's break down how data gets used. Generally, personal data falls under two primary categories of use: those who process data and those who control it.

Data Controllers

Under the GDPR, controllers determine the processing and purpose of personal data. A single individual could fill this role in your office or corporate controller designated by your company.

Data Processors

The role of a data processor is defined as a single person, agency, public organization, or other entity that processes private information for the controller. Processors don't decide how your patients' personal data gets handled but follow the guidance they receive.

Example of a Data Controller and Data Processor Relationship

Typically, your dental office would be considered the controller because you will determine how you want your patients' sensitive data handled. On the other hand, companies like Adit would be viewed as a processor since we would use this information according to your instructions when creating email campaigns, for example.

It's important to note that processors would still have to be compliant with GDPR when handling private data belonging to your patients protected under this law despite your instructions. For example, if your practice provides whitening kits, specialty toothbrushes, or teledentistry in an online marketplace, and you offer these globally, your dental practice and processors must comply.

How GDPR Affects Dental Practice Marketing Strategies

At Adit, one of our strongest service areas for dental practices in the United States and globally is digital marketing. Because successful marketing strategies require collection and analysis of data to yield the best results, it's vital to be aware of what aspects of your advertising are impacted by GDPR, including:

• Website cookies for tracking
• Lead information generated by online ads
• Website contact forms
• Email addresses for ad campaigns monthly newsletters. and other lead magnets

Below is a quick overview of each of these marketing aspects and how GDPR may affect them:

Cookies

When visitors come to your dental practice website, cookies are used to track their preferences and interactions to help you better target your ads to their behavior. GDPR requires you to keep an updated Cookie Policy available on your site and get consent from visitors before storing and accessing any of this information.

Online Ad Generated Leads

When patients and prospects click through your Google Ads to your landing page and then fill out your provided contact form, they consent to communication with your company about the service or offer requested. For example, a free teeth whitening kit for subscribing their email address to your monthly oral health newsletter.

Typically, you would include an option they can opt-in or out of with a simple mouse click in a selection box for receiving additional communications from you regarding services and products. With the right dental practice management system, like that provided by Adit, a record of their consent is recorded and then made available if they should ever request this information.

Website Contact Forms

Encryption of your website is another crucial step in ensuring compliance with GDPR. This is especially important when potential patients communicate with you through online forms like those on a Contact Us page.

One of the easiest ways to achieve property security against hackers trying to steal information from these transmissions is by having an SSL certification on your website. These are relatively inexpensive nowadays and will reassure your visitors that they can securely submit information through your website.

Storing Patient Email Information

If you plan to send emails to your patients for appointment reminders, account billing, or any marketing campaigns, you must have consent from them before sending. Doing so will ensure your communications don't fall under CAN-SPAM laws that designate your dental practice email address as spam. Anything you send out will get filtered into patients' junk folders if this happens.

Further, it shields you from violating the GDPR law regarding spamming. One of the most straightforward methods of gaining consent to send emails to your patients involves using an opt-in clause in their medical file. You should use clear language that explains precisely what they are consenting to receive. Many dental practices use two different opt-ins, where one covers general patient communications regarding things like reminders, and the other opt-in covers marketing and promotional emails.

No matter what marketing uses you have planned for your patients' private data, GDPR and other similar laws like HIPAA require you to protect it.

10 Steps to GDPR Compliance for Dental Practices

Not sure if your dental practice meets the standards for data privacy protections set forth by the GDPR? Consider the following ten steps to reform your current processes and develop best practices:

Assess the Types of Data You Collect

One of the biggest challenges is understanding the data you collect from your patients and prospects. Get started by first determining the sources providing your dental office this information, which could include:

• Landing pages
• Online contact forms
• PPC campaigns
• Cookies
• Patient management software
• Electronic Health Records
• Lead magnets
• Email campaigns
• Newsletters
• Social media

As you can see, there are many channels for personally-identifying information to be shared with your office, and the GDPR demands it be protected. This is why identifying sensitive data and the sources that generate it is crucial to compliance. Even IP addresses could fall under this umbrella of security requirements if linked to an individual. So, if your ad campaign not only collects their email address but tracks their IP, this too would require protection.

You Need a Data Protection Officer (DPO)

The GDPR requires controllers and processors to have a Data Protection Officer (DPO) to oversee a dental practice's data protection strategy if any of the following conditions apply:

• A public authority is processing the data
• Data is systematically monitored
• Large amounts of data get collected and processed

What constitutes a large amount of data is unclear in the GDPR, so many dental organizations opt to have a DPO out of caution. Appoint someone in this role that can perform the following required duties:

• Ensure GDPR compliance by monitoring data processing
• Advice controllers and processors of compliance best practices
• Advise you on impact assessments regarding your data protection
• Be the primary contact for data processing inquiries
• Serve as the direct contact for the company when speaking with GDPR regulators
• Understands the many risks related to processing data
• Has demonstrated experience and training regarding GDPR law and best practices

To ensure your DPOs efforts are successful, your dental organization should also conduct regular monitoring to identify any vulnerabilities that could jeopardize the security of the data you collect.

Create a Data Register

Another important compliance best practice for GDPR is maintaining a data register that keeps a record of how your dental office handles the private data it uses. This is an extremely helpful diary that maps out your data flow in your company. Keeping detailed notes and records will prove your compliance should an audit or data breach happen. It can also help your team develop improved data security and show your dental office is dedicated to protecting patient data.

Assess Your Data Collection Requirements

One vital step to consider in developing a secure data collection process is to assess what information is necessary. The GDPR expects dental practices only to collect required information and not accumulate this data without reasonable cause.

Further, any data you collect which is considered highly sensitive under this law must be carefully reviewed. Privacy Impact Assessments and Data Protection Impact Assessments are mandatory for some types of personal information, which could include:

• Addresses
• Behavior patterns
• Data associated with minors
• Information gathered by new technology your office is using
• Data that is part of an automated process
• Identifying details gathered from public areas you monitor (parking lot, waiting room, etc.)
• Personal data involving:
  • Religious preferences/views
  • Ethnicity
  • Political/philosophical opinions
  • Membership data
  • Genetic and/or biometric data
  • Health records
  • Sexual orientation/Gender identity

Don't Delay in Reporting Data Breaches

Under GDPR, if your dental office experiences a data breach, you must immediately report it within 72 hours. This requirement is for both controllers and processors. To ensure that reporting occurs correctly, follow the below chain of command:

Processors should report incidents to their controllers. From there, controllers will report it to a supervising agency (Data Protection Association) which acts as a contact point with the GDPR authority.

Be Upfront About What Data You Collect and Why

In a digital age where personal data has become an invaluable commodity, your patients count on you to be transparent. Transparent about the information you collect and the reasons for doing so. GDPR prohibits the clandestine collection of their data, so to avoid financial penalties, make sure you have a clearly displayed acknowledgment wherever their information is stored.

Check out these common locations dental companies can display such notifications:

Cookies

Cookies are considered data collectors by the GDPR because they can identify users. To ensure your gathering of this information is done in an informed way, make sure to do the following:

• Request consent from site visitors before cookies begin collecting their private data
• Be clear about how your company uses cookie data
• Ensure that a log is kept that shows a user consent
• Visitors should still be able to access your website even if they decline to allow the use of cookies
• Make it easy for users to withdraw their consent at anytime

Site Forms

Another area that should display notification of data collection is pages with submissions forms. For example, suppose you have a landing page offering free whitening strips in exchange for a visitor's contact information or a newsletter sign-up promotion asking for their email address. In that case, you should first be clear on what data is collected and how you will use it. Keep language straightforward and simple to understand.

Age Verification

Under the GDPR, only individuals at least 16 years old or older can have their personal data processed. If your dental office needs to gather personally-identifying information of minors under this threshold, you must obtain consent from their parent or legal guardian.

Additionally, if your site may engage those under 16, it must have an age verification process before collecting their data.

Consider Using a Double-Opt-In for Email Sign-Ups

A great way to eliminate any doubt that an individual consented to receiving email communications and promotions from your dental office is using a double opt-in sign-up process. This essentially requires the user to agree when initially submitting their information and then follow up with an email confirmation that they will complete. It is not mandatory in GDPR guidance, but it's a wise step for compliance.

Regularly Update Your Privacy Policy

Privacy policies are not "one and done" elements of your website. GDPR for dental practices and any companies processing sensitive consumer data needs to always be up to date. These updates could be due to changes in the laws governing your company, a change in how you do business, and numerous other reasons. Whatever the reason, when making changes, makes sure your patients are notified through an email.

Any privacy policy you use should be clear on the type of data your business collects and how it gets used.

Regularly Check Your Data Collection Practices for Vulnerabilities

The GDPR and similar laws throughout the world expect organizations to be vigilant in their efforts to be aware of all data security risks that could endanger private consumer information. This also means having remediation strategies in place should a breach or hacking attempt be successful and exposing identifying details related to your dental patients.

At Adit, we understand that creating a secure data environment requires rigorous monitoring and testing. Having a world-class digital security team for smaller dental firms may seem a tall order. Still, by relying on a cloud-based practice management solution, we can help you achieve compliance.

Adit Understands the Importance of GDPR for Dental Practices Worldwide

You need state-of-the-art digital tools to help your dental company identify and address security vulnerabilities that could impact your compliance with GDPR requirements. Our dental practice management software will empower your team to gather invaluable insights from collected patient data while ensuring this sensitive information says secure and protected. No matter what sources you use, whether through a social media ad campaign or using a lead magnet to drive more traffic to your website, we will ensure your efforts are compliant and protect the data your patients entrust with you.

Find out more about how our cutting-edge digital tools can streamline your operations, build your brand, and boost revenue streams. Request a free demo today!