As I booked a reservation at Premier Inn for our upcoming Essential Expert Witness workshop in Leicester, I noticed that Premier Inn is still not in compliance with GDPR in that one must still “opt-out” of marketing emails! Susan, who was reviewing posts on a media forum, asked me about GDPR and Brexit as well as sharing some of the responses to the questions raised. She figured it was time for me to grab this bull by the horns again and debunk a few commonly held beliefs.
First, most of us are classed as small businesses by the ICO (Information Commissioner’s Office). That is, fewer than 250 employees. This can mean that GDPR doesn’t apply, but actually in our line of work the principles do apply. It is simpler to be a small business, particularly if one avoids all the websites that want to make money by providing you with expert advice. You don’t need the expert advice. The only advice you need should come directly from the ICO website.
Second, HIPPA is irrelevant if you are not in the USA. This is a USA requirement for medical professionals who are filing insurance claims. It has nothing to do with the UK or GDPR. Practitioners in the USA who do not file insurance claims do not have to comply with HIPPA either. Leave HIPPA where it belongs, in the USA.
Third, BREXIT. Sigh. Keep in mind that you are a small business and not a multi-national conglomerate. Data security should be an integral part of your business and that, on its own, will keep you out of trouble. If your data is not breached and your client has confidence in how you hold their data, then you will never meet the ICO. The UK already stated that the GDPR will be enshrined in UK statute upon exit from the EU — with or without an agreement. Any agreement decided may affect how data can flow between the EU and the UK, but there isn’t much point worrying about that until or unless an agreement is determined. You should visit ICO BREXIT BLOG and view the links with steps to take (many of which will not apply to you). Ignore what you read on forums or sites that want to sell you something.
Fourth, Skype, FaceTime, Zoom, telephones, first class post, and post-its are fine to use. GDPR does not require everyone to go out of business There is no such thing as a compliance list with GDPR although it rears up in forums all the time. I have yet to find a prosecution by the ICO that relates to the use of remote therapy. There are plenty for unsolicited emails or telephone calls. A few for losing a memory stick or unprotected computer. And a few for malicious or deliberate access to private records outside of official duty. The overwhelming majority of enforcements relate to marketing. You can and should review these enforcement actions at ICO because this will inform you of what they find important and what you should do to ensure you do not go down that slippery path. The overall enforcement record is here: All Enforcements The enforcement record for the health field is here: Health Profession Enforcements
I generally keep up on prosecutions by both the ICO and the HCPC. This is invaluable in learning what the enforcers believe are serious violations. The vast majority of ICO actions against individual practitioners has involved what I would consider criminal acts such as stalking — viewing records without authorisation, taking records home, contacting data subjects on a non-official basis, and so forth. I don’t recall, yet, seeing a single psychologist prosecuted for a data breach. While I have read on some of these “advice” websites that being handed a business card is not permission to add that person to an email list, I would be surprised if the ICO would ever seriously consider that an enforcement matter nor, indeed, would most of us who hand out our business cards. If it is easy to unsubscribe to an email — as ours are — then this unlikely to invite the hounds from ICO. If one just thinks about this rationally then it become easier to get along.
As an example, the most serious breach I have seen and one that is similar to what a psychologist might flounder into involves a barrister who used a shared computer with her family. Her husband, while doing maintenance, uploaded more than 550 files to the web for “safekeeping” while he upgraded the computer. The files were not encrypted and were quickly indexed and cached by search engines. Approximately 250 people had their confidential information compromised. It was quickly remedied and the barrister was cooperative. In the end, the ICO fined the barrister £1,000 for the infractions. I suspect that the other costs to reputation, relationships, and work were probably much more devestating.
Fifth, GDPR is one of the most onerous pieces of legislation out there and the ICO’s attention is being focussed on blatant violations of the regulations large players, not the small businesses that do their best to comply. It is mostly designed to corral large businesses into the control of the ICO. IF you protect your client’s data, employ reasonable security measures, act swiftly on any concerns of your clients, and continue to protect data to the high standard most psychologists already abide by, then the ICO is not going to come looking for you. Even if you find yourself in a small infraction, the ICO isn’t going to use their resources to swat you down. They aren’t driving around in a white van looking for infractions. They already have more work than they know what to do with.
If you haven’t done so then view our videos on GDPR and read the blogs. They should reassure you that it is actually simple. Further, it is easier to adopt good security practices than it is to read all the legislation and come up with some sort of policy to address it. If you work for a business or organisation then you may have witnessed the creation of spreadsheets and flow charts and goodness knows what else. Stop it. Do the simple things in my blogs and videos and be conscientious about your data security. You will be fine.
My rule and advice remains: If your data is never compromised and you respect the wishes of your clients in regards to marketing then you will not become entangled with the ICO.