General Data Protection Regulation (GDPR) - does your practice comply?

When we talk about personal data, we work with the terms “Data Processor” and “Data Controller”. In this context, EasyPractice is a data processor and our users are the data controllers, since we process your client data on your behalf and in your interest. Therefore, you also have control over how we process your data, since we process it only as instructed by you.

With the new General Data Protection Regulation, it is legal to transfer personal data to other EU countries that comply with an adequate level of security. At EasyPractice we store data with a Danish hosting company in Denmark so you can be sure that your clients’ data is secure. It will therefore always be covered by the protection of the General Data Protection Regulation.

It’s important that you as a data controller are clear and concise in your communications when you store or otherwise process your clients’ data. Processing of data must either be necessary to satisfy a contract or there must be explicit consent for it – and in any event, the processing must be for a stated purpose and your client must be informed of:

• what personal data you shall register,
• what the personal data shall be processed for,
• how long the personal data will be stored for,
• that your client is entitled to have his/her information corrected, deleted or handed over,
• where your client may turn to make use of his/her rights to rectify, delete or have his/her information handed over,
• that the client can at any time withdraw his/her consent and how this may be done,
• where requests regarding the above can be rectified.

For example, if you set up clients in EasyPractice, the client shall expressly consent to this, and in that connection will receive the above information. If you have Online Booking in EasyPractice, you can set it up so that specific conditions must be approved before a booking is made, in order to ensure consent, and you should always do this.

As data processor, we are now required to have a Data Protection Officer (DPO). A DPO must ensure that a company meets the requirements of the new General Data Protection Regulation. Read more about what a DPO is.

The clients you have registered with EasyPractice have the right to be able to have their data transferred to another system if they request it. At EasyPractice, we have the ability to export client information via “Settings” → “Import / Export”, if you need a format that can be handed over to another data controller.

Your clients have the right to be “forgotten”. This means that your clients can demand to be deleted from your client directory. At EasyPractice, you can set a client as “Inactive” or delete the client from your directory completely. For the “Right to be forgotten” to be met, you must delete the client completely from your directory. This can be automated through our “Cleanup” app.

However, it is not always the case that a client can demand to have all information deleted. Perhaps you need to retain information as documentation of your handling of personal data, or other legislation requires you to retain the personal data for a certain period of time. The judgement is ultimately yours, but remember to inform the client of the decision, regardless of whether you erase all data or not.

This part of the General Data Protection Regulation is about ensuring that the systems you use comply with the requirements for personal data protection. At EasyPractice, we comply with the various requirements that exist, for example, encryption of personal data, but if you use other systems (e.g. accounting programs), you as a data controller must ensure that they also comply with the requirements. For example, if you have linked EasyPractice to an accounting system, we ensure that you transfer data over an encrypted connection, but you as a data controller are responsible for the other system you are using complying with the requirements for storage of personal data.

As a data controller, you have an obligation under the new General Data Protection Regulation to produce what is called an Impact assessment. An impact assessment is a description of the technologies / products you use that handle personal data and may include, among other things, an assessment of the risks for your clients in relation to being a client with you and what precautions and security measures you take in relation to the storage of personal data.

With the new General Data Protection Regulation there is also a duty to inform the national personal data agency (i.e. the Danish Data Protection Agency in Denmark) about data breaches. This must be done within 72 hours after a data breach. As data processors, we are obliged to inform both our users and the Danish Data Protection Agency about a breach and we have ensured that we have a procedure for that in our company. Remember that as a data controller you are also required to disclose any data breaches.

As a data controller, it is your responsibility that you have documentation showing that you comply with the General Data Protection Regulation. This means that you must have the correct documentation to show that data is processed correctly in the system you use.

Secure communication from web browser to system (such as when editing journal entries or when a client books an appointment) is something that you as a data controller should be aware of. TLS, which stands for Transport Layer Security, is a security protocol that ensures the safe and private transmission of data over the internet. It’s like a security blanket for your online communications, protecting them from snooping and tampering. Here’s a breakdown of what TLS does:

Encryption: Imagine sending a secret message. TLS scrambles the information you send and receive, making it unreadable to anyone who intercepts it, even on an unsecured network.

Authentication: Just like checking someone’s ID before letting them in, TLS verifies the identity of the websites and servers you connect to. This helps prevent impersonation and ensures you’re talking to the intended party. 

Data Integrity: TLS makes sure the information you send arrives complete and unchanged. It’s like adding a checksum to a package to see if anything got lost or altered in transit.

Easy Practice has the highest A+ score on the industry-standard TLS Test at ssllabs.com.

When using an online system such as for entering records or billing, it is often possible for the system to exchange data automatically with other platforms. It’s important that you, as a data controller, have an overview of the platforms you use and how they handle personal data. All integrations through EasyPractice run with TLS security (encrypted, secure communication) and thus we ensure that data cannot be “leaked” by network service providers.