In the April issue of the Independent Practitioner Today Jane Braithwaite and Karen Heaton discuss GDPR and reveal medical practices did not properly understand whether they were required to ask patients for their consent for certain processing activities or how to do so.
Consent and GDPR
In the medical sense, ‘consent’ is very clear. But in the latest EU General Data Protections Regulations (GDPR), the question of consent has been one of the most confusing and frustrating issues to come to terms with.
How many emails did you receive in the run up to the GDPR deadline about ‘opt ins’ for marketing or just ‘opt ins’ in general?
Our experience is that medical practices and businesses in general really did not properly understand whether or not they were required to ask patients or clients for their consent for certain processing activities or how to do so.
On a personal level, it was a very useful opportunity to clear out unwanted junk email and compel organisations to take unsubscribe requests seriously. This had clearly not been the case in the past.
But were all these emails about consent necessary?
Well, that depends on a number of factors:
- The lawful basis you have for processing an individual’s data;
- How you received an individual’s data;
- What you have told individuals – patients, clients or employees – about how your practice handles their personal data.
For medical practices who act as data controllers, there is the potential for nontrivial reputational damage and large fines from Information Commissioner’s Office (ICO) investigations regard ing poor consent practises.
So, to answer this question, let’s look at:
a) Your lawful basis for using that data;
b) The data you process and how it is processed.