• SETTING THE GOLD STANDARD IN AESTHETIC TRAINING
Top Tips for GDPR Compliance

On 25th May 2018, Data Protection rules changed in the European Union. The General Data Protection Regulation (GDPR) legislation aims to give control to citizens over their personal data and how it is used by organisations. This legislation affects all companies who hold data on customers. As an aesthetic practitioner, this may affect how you store patient details and how you keep in touch with your clients. Here are our top 4 tips to prepare yourself for GDPR.

Update Your Privacy Policy

If your organisation has a privacy policy, its time to review it to make sure it is GDPR complaint. If you don’t have a privacy policy, then it’s time to write one! Your privacy policy needs to identify the name and contact details of who is responsible for collecting data within the organisation, show what type of data you collect from customers, and how you obtain this. You will also need to explain how you will be storing and using their data and explain their rights to withdraw consent or be forgotten.

With GDPR legislation now in play, there are lots of templates available which may help. The ICO have also published a Privacy Notice Checklist which will help ensure you tick all the boxes.

Review Your Marketing Lists

Under the new legislation you need consent to send marketing emails and other communications to individuals. Ideally, you should provide people the chance to ‘opt in’ to receiving marketing messages when they make an enquiry or purchase a product from you. It may also be possible to contact people that have previously bought or enquired about your services, provided you can prove that you have a legitimate interest for contacting them. The ICO have lots of advice on what constitutes a legitimate interest on their website.

If you are using contact forms on your website to build your marketing lists, make sure that any opt in option for marketing emails is initially unticked, giving the person the chance to opt in if they wish, rather than having to opt out. You should also ensure to explain exactly how their details will be used if they do decide to opt in for marketing communications. All marketing communication must include an opt-out or unsubscribe option in the message.

If you have purchased a marketing list containing email addresses and/or telephone numbers, you may not have the consent you need to market to those individuals. Check carefully to see where that data came from and whether they had explicit consent to sell the data to you. If you are unsure, then avoid using or purchasing marketing databases and focus on advertising directly to customers who do consent to you contacting them.

Use GDPR Compliant Software

If you are running a clinic or mobile practice, we would recommend using clinic CRM software as a secure and efficient way to manage your patients. Many clinic CRM systems now offer apps to allow you to access on your phone or tablet. They will store all of your patient details securely, including consent forms and before and after photographs. They also allow you to manage your clinic diary and keep in touch with patients. If you are not already using a clinic CRM system, then this could be a great opportunity to better organise your patient details and make sure you are compliant. Many CRM providers have been busy updating their apps and software to be compliant with GDPR legislation. Make sure you speak to your current or chosen provider to see how their software works with GDPR compliance and see what tips they have to help you manage your data effectively.

Photographic Consent

An important part of being an aesthetic practitioner is taking before and after photographs of your patients. As well as having these for the patients medical records, you may also wish to use these in a portfolio to show other clients, or to advertise your services on your website or social media pages. This type of advertising is extremely effective for facial aesthetic treatments, however, you must ensure you have explicit consent from your patients before doing so.

We have recently updated all of our consent forms for patients which a specific section for photographic consent. Patients will first need to sign and date to confirm they are happy for their photographs to be taken and stored as part of their medical records we hold for them. There is also a separate opt in and signature to consent for us using their before and after photographs on our website and social medial accounts. We then explain how we would publish these and which social medial platforms we use. We also give patients the option to change their mind if they decide they no longer want to feature in our advertising and portfolios.

GDPR – What Next?

Hopefully this article has given you some good starting points to consider how to equip your practice to comply with GDPR regulations. If you have any doubts as to your responsibilities or how you need to handle your customers data then we would recommend you get professional advice from a firm of GDPR compliance experts. The Information Commissioners Office (ICO) has also put together lots of information and advice to help businesses and organisations of all sizes to adjust to the changes in the law. GDPR doesn’t need to be scary and it is quite straight forward to adhere to the new rules, provided you take the time to understand your responsibilities and have processes in place to handle customer data responsibility.