Reasons for GDPR
A major reason introducing the General Data Protection Regulation (GDPR) is because of the huge amount of personal data that is nowadays being processed. Information held about individual people has increased by 90% since the Data Protection Act (DPA) came into force 20 years ago. Back then, you didn’t buy anything online, a tablet was something you swallowed, Google was a noise a baby made, if you used a search engine it was probably Altavista and a phone wasn’t smart even if you could get a signal!
So GDPR makes sense, and Professional Reflexology Association has collated the information below in order to help ease your way through the maze of the new regulations.
What is the purpose of GDPR (General Data Protection Regulation)?
The General Data Protection Regulation (GDPR) is a set of EU laws that come into effect on May 25th, 2018. The purpose of this is to provide a set of standardised data protection regulation across all EU member countries. It is aimed to strengthen data protection for individuals both within the EU and beyond. It will make it easier to understand how & why personal data is being collected and used, to raise complaints, and take control of the data even if they are not in the country where its located.
The main tenets of GDPR are similar to those in the Data Protection Act (DPA), If you are following what is required by DPA, then you should be on your way to ensure compliance with GDPR.
So what should I do?
There are additions and changes to the law, but please don’t get worried, you will not find a data inspector on your doorstep on the 26th May! You do need to check your procedures to make sure you comply.
- You will need to be able to inform a client of their rights under GDPR
- When you ask for data (Personal Information) from a client you must make clear:
- What data is being requested
- Why you need the data
- How you will store the data
- How you will use the data. (And how long you will keep it)
- Will the data be shared and if so with who?
- Reasons as to why the business (you) want to use the data for the reasons you have indicated.
- Parental consent for children’s data (under the age of 16) will be required.
- Clients having the right to change their mind and request their data be deleted.
- Having a real choice as to whether the client wants to part with data.
- A simple method for the client to freely consent to their data being used in the manner described.
PR has some suggestions that hopefully will make it a lot easier for you. So, let’s have a look at the list above to make sure you cover the points. Numbers 3 is probably very little different to what you are doing already, so we will deal with that first.
Imagine you are greeting a new client and explain to them what’s going to happen. You still need to explain reflexology and possible reactions of course but add the points above to cover GDPR
To do so, the conversation might go like this:
‘I just need to run over a few things with you, I need a few details, for example, your address, telephone number, email in case I need to contact you. Then I need to know a bit about your lifestyle and medical history and why you came to see me today. This will help me to make sure that I can personalise the treatment to give you the best possible outcome. Anything you tell me is totally confidential, I never share it with anyone, and I make sure it is stored under lock and key/password protected on my computer/in my safe (etc etc.). I normally keep records for around 7 years for insurance reasons, but you can ask me to destroy it or delete it at any time.
(Oh, you’d like to make an appointment for your daughter. How old is she? 15, then I would want you to give your permission to treatment in writing, and I would like you to be present when I’m treating her.)
If that’s okay with you we’ll go ahead with questions, and then I will ask you to give me permission to continue with treatment.’
(This will feel much more natural if you use your own wording, and it is worth a practice).
To cover points 1 &2 (plus j) from the list) we have produced some templates to help PR Members. These are available from the download area of the website.
(You do need to be logged in to see the ‘Downloads’ Menu item).
Emails to Clients
It is quite likely that you will want to email your clients from time to time with special offers, news about your practice etc. If you use our ‘Informed Consent’ template all new clients will have signed to the effect that they are prepared to receive emails from you, but what about your past and present clients?
If a client has bought something from you in the past they are probably okay with receiving emails from you offering something similar, even without having given specific permission. Emailing previous clients without express permission is called ‘soft opt-in’. But, in all future emails, you should give them the option to opt out of receiving emails from you.
If you have told your client that you keep records for ‘x’ length of time (see 3.c above) it means that after ‘x’ length of time you can no longer send marketing emails to them. Some insurance companies (Balens for example) require you to keep records for up to 7 years so you may choose to inform your clients that 7 years is the length of time you normally keep records.
Do you need to register for GDPR?
As an independent therapist, it is unlikely that you will need to register, but to make sure you can take a quick self-assessment check here: https://ico.org.uk/for-organisations/register/self-assessment/
If you offer training, e.g. CPD or you are a school, then you probably will need to register, and the fee will be from around £35 dependant on turnover, staff numbers etc.
It should be emphasised that while Professional Reflexology has made every effort to ensure that the information given is accurate, we cannot be held responsible for any omissions or errors. It is up to each individual Member to ensure that they comply with GDPR, and in order to do so you are advised to visit https://ico.org.uk
The Information Commissioners Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.