So far in our series, “Demystifying GDPR for Dental Practitioners” we’ve discussed many aspects of the GDP and its relation to the work of dental practices. Today we tackle the dental practice website. Nowadays any respected and well-promoted dental practice has a website providing basic information, contact forms and presenting the stuff. Under GDPR additional requirements need to be implemented into said website, mainly concerning the very controversial Cookies, that collect personal data of users that you need consent for.
Under the GDPR compliance, if your website experiences a data breach of any kind, your users need to be made aware of the breach. Therefore you need to monitor the security of your website.
Data collection, processing and storage
- You need to provide an easy method for people to request the information you hold on them (also known as Subject Access Request – SAR)
- The users have the right to correct the information, in case there is a mistake in it
- ‘Cookies’ are covered under the ‘ePrivacy regulation’, separate from GDPR
- Secure servers such as SSL, HTTPS are not specifically covered by the GDPR, however, if you choose to use these host providers, you (and your visitors) can’t be certain that your data/ content is secure.
- The majority of referral forms on websites currently send the information via email to the practice. Therefore the data travels ‘insecurely’ over the internet from the form to your email account. To ensure the security of data a ‘secure form’ system whereupon the data is not transmitted, but merely ‘stored on the secure server’, and can only be downloaded using a specific password, is ‘best practice’.
Online Ads and New Patient Enquiry Rules
If someone responds, for example, to a landing page, filling in personal details to receive a service such as a free consultation, the person has given his/her consent for you to contact them for that specific purpose. However, an online lead from an email marketing campaign, Facebook or Twitter ad, or something similar requires you to explicitly obtain permission in some manner to contact them. An easy way is an opt-in button for permitting contact for marketing and promotional purposes.
The GDPR requires you to maintain a record of where you received the data, and a means of retrieving it should the patient or prospective client ever request the information.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.