On 25th May 2018, Data Protection rules changed in the European Union. The General Data Protection Regulation (GDPR) legislation aims to give control to citizens over their personal data and how it is used by organisations. This legislation affects all companies who hold data on customers. As an aesthetic practitioner, this may affect how you store patient details and how you keep in touch with your clients. Here are our top 4 tips to prepare yourself for GDPR.
With GDPR legislation now in play, there are lots of templates available which may help. The ICO have also published a Privacy Notice Checklist which will help ensure you tick all the boxes.
Review Your Marketing Lists
Under the new legislation you need consent to send marketing emails and other communications to individuals. Ideally, you should provide people the chance to ‘opt in’ to receiving marketing messages when they make an enquiry or purchase a product from you. It may also be possible to contact people that have previously bought or enquired about your services, provided you can prove that you have a legitimate interest for contacting them. The ICO have lots of advice on what constitutes a legitimate interest on their website.
If you are using contact forms on your website to build your marketing lists, make sure that any opt in option for marketing emails is initially unticked, giving the person the chance to opt in if they wish, rather than having to opt out. You should also ensure to explain exactly how their details will be used if they do decide to opt in for marketing communications. All marketing communication must include an opt-out or unsubscribe option in the message.
If you have purchased a marketing list containing email addresses and/or telephone numbers, you may not have the consent you need to market to those individuals. Check carefully to see where that data came from and whether they had explicit consent to sell the data to you. If you are unsure, then avoid using or purchasing marketing databases and focus on advertising directly to customers who do consent to you contacting them.
Use GDPR Compliant Software
If you are running a clinic or mobile practice, we would recommend using clinic CRM software as a secure and efficient way to manage your patients. Many clinic CRM systems now offer apps to allow you to access on your phone or tablet. They will store all of your patient details securely, including consent forms and before and after photographs. They also allow you to manage your clinic diary and keep in touch with patients. If you are not already using a clinic CRM system, then this could be a great opportunity to better organise your patient details and make sure you are compliant. Many CRM providers have been busy updating their apps and software to be compliant with GDPR legislation. Make sure you speak to your current or chosen provider to see how their software works with GDPR compliance and see what tips they have to help you manage your data effectively.
An important part of being an aesthetic practitioner is taking before and after photographs of your patients. As well as having these for the patients medical records, you may also wish to use these in a portfolio to show other clients, or to advertise your services on your website or social media pages. This type of advertising is extremely effective for facial aesthetic treatments, however, you must ensure you have explicit consent from your patients before doing so.
We have recently updated all of our consent forms for patients which a specific section for photographic consent. Patients will first need to sign and date to confirm they are happy for their photographs to be taken and stored as part of their medical records we hold for them. There is also a separate opt in and signature to consent for us using their before and after photographs on our website and social medial accounts. We then explain how we would publish these and which social medial platforms we use. We also give patients the option to change their mind if they decide they no longer want to feature in our advertising and portfolios.
GDPR – What Next?
Hopefully this article has given you some good starting points to consider how to equip your practice to comply with GDPR regulations. If you have any doubts as to your responsibilities or how you need to handle your customers data then we would recommend you get professional advice from a firm of GDPR compliance experts. The Information Commissioners Office (ICO) has also put together lots of information and advice to help businesses and organisations of all sizes to adjust to the changes in the law. GDPR doesn’t need to be scary and it is quite straight forward to adhere to the new rules, provided you take the time to understand your responsibilities and have processes in place to handle customer data responsibility.