GDPR is just as relevant a topic as when it came into effect almost two years ago, and very much on people’s minds.
Does it apply to veterinary practices?
Almost certainly, yes. If your normal day to day working activities within your veterinary practice involve storing or using information relating to named individuals, which could include customers (past or present), employees, suppliers, or other named individuals within your professional network – then GDPR is relevant.
What should I be doing?
This is not necessarily a simple question, but we highlight seven key issues with simple steps to follow when working towards GDPR compliance
You must be able to demonstrate that consent has been freely given and is specific, informed and unambiguous. It must be given on an ‘opt-in’ basis. You may need to update existing consents if they do not comply with those points. For instance, if you post photos of a customer’s pet on your website or social media channels, we strongly recommend obtaining the customer’s consent beforehand.
As well as the current information you must give when you collect personal data, you will need to set out your legal basis for data processing and your data retention periods, as well as advising individuals that, alongside their other rights, they have a right to complain to the ICO. This information must be communicated clearly and concisely. You will usually find this on your practice website.
Holding and processing data
Under the GDPR you must maintain records of your processing activities. You may need to carry out an information audit to discover what information you hold, from which source, what you do with it and who you share it with.
Also, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. Use this link to see if you or your organisation needs to pay a data protection fee.
Data Protection Officer (DPO)
Consider the appointment of a DPO. Identifying an individual who has responsibility for GDPR compliance can be helpful for implementing new policies and practices, monitoring compliance and reporting data breaches quickly and efficiently.
Use your practice team’s operational knowledge to assess what data you hold and how that data flows within (and outside) your organisation.
Rights of Individuals
Individuals have greater rights in relation to their data under the GDPR than previously, including rights of access and data portability, correction of inaccuracies, removal of information, prevention of direct marketing and of automated decision-making and profiling. Breaching individuals’ rights attracts large fines – up to €20m or 4% of total worldwide annual turnover (whichever is higher).
Mistakes happen, but you need to make sure you have procedures in place to detect, report and investigate a personal data breach. The GDPR will require you to notify the ICO of certain types of data breach and, in serious cases, the individual affected.
It may be of some comfort that a controller or processor’s ability to present evidence to ICO of efforts to comply with the requirements of the GDPR may help reduce liability. If they demonstrate, for example, that they did not intend to breach the GDPR and that effectively implemented organizational and technical measures appropriate to the risk, the ICO may take this into account in deciding whether to impose a fine, or it may reduce the fine imposed.
Points to remember
GDPR focuses on respecting the rights of individuals when their personal information is being processed. A data controller must demonstrate that data processing activities comply with the requirements, which means going further than simply setting up data protection policies and procedures. Being accountable means being able to demonstrate continuing compliance, practice processes being implemented in line with GDPR policies and both effective internal compliance measures and external controls.