General Data Protection Regulation (GDPR) - does your practice comply?

 

At EasyPractice, we are prepared for the new General Data Protection Regulation to come into force.

We get many questions about it, so we have made this page which contains information on how we relate to it.

The General Data Protection Regulation is a significant piece of legislation, so there is a lot to consider about when running a clinic or practice. Below, we review the key issues of the General Data Protection Regulation, which we naturally deal with for you in EasyPractice.

Data Processors and Data Controllers

When we talk about personal data, we work with the terms “Data Processor” and “Data Controller”. In this context, EasyPractice is a data processor and our users are the data controllers, since we process your client data on your behalf and in your interest. Therefore, you also have control over how we process your data, since we process it only as instructed by you.

Should I – as a processor – do something myself?

No. This is just a matter of definitions. You have accepted our agreement on data processing once you have been set up with EasyPractice.

Location of data

With the new General Data Protection Regulation, it is legal to transfer personal data to other EU countries that comply with an adequate level of security. At EasyPractice we store data with a Danish hosting company in Denmark, and therefore you do not have to be afraid that your clients’ data might be sent out of the EU. It will therefore always be covered by the protection of the General Data Protection Regulation.

Should I – as a processor – do something myself?

No. EasyPractice is already set up to store all your data in Denmark.

Consent and disclosure requirements

It’s important that you as a data controller are clear and concise in your communications when you store or otherwise process your clients’ data. Processing of data must either be necessary to satisfy a contract or there must be explicit consent for it – and in any event, the processing must be for a stated purpose and your client must be informed of:

  • what personal data you shall register,
  • what the personal data shall be processed for,
  • how long the personal data will be stored for,
  • that your client is entitled to have his/her information corrected, deleted or handed over,
  • where your client may turn to make use of his/her rights to rectify, delete or have his/her information handed over,
  • that the client can at any time withdraw his/her consent and how this may be done,
  • where requests regarding the above can be rectified.

For example, if you set up clients in EasyPractice, the client shall expressly consent to this, and in that connection will receive the above information. If you have Online Booking in EasyPractice, you can set it up so that specific conditions must be approved before a booking is made, in order to ensure consent, and you should always do this.

Should I – as a processor – do something myself?

Yes. You must ask your clients to give their consent for you to store and process their data. You can do this in collaboration with EasyPractice. 

Data Protection Officer

As data processor, we are now required to have a Data Protection Officer (DPO). A DPO must ensure that a company meets the requirements of the new General Data Protection Regulation. Read more about what a DPO is.

Should I – as a processor – do something myself?

No. EasyPractice has already dealt with this for you by appointing a DPO, who, among other things, deals with inquiries from your clients regarding processing of their personal data. 

Data portability

The clients you have registered with EasyPractice have the right to be able to have their data transferred to another system if they request it. At EasyPractice, we have the ability to export client information via “Settings” → “Import / Export”, if you need a format that can be handed over to another data controller.

Should I – as a processor – do something myself?

No. You don’t have to do anything. This is handled by EasyPractice

“Right to be forgotten”

Your clients have the right to be “forgotten”. This means that your clients may demand that they be deleted from your client directory. At EasyPractice, you can specify a client as “Inactive”, or delete the client completely from your directory. In order for the “Right to be forgotten” to be met, it is important that you delete the client completely from your directory.

Should I – as a processor – do something myself?

No. You don’t have to do anything. This is handled by EasyPractice. You can delete your clients completely if they require it.

Privacy by design / Privacy by default

This part of the General Data Protection Regulation is about ensuring that the systems you use comply with the requirements for personal data protection. At EasyPractice, we comply with the various requirements that exist, for example, encryption of personal data, but if you use other systems (e.g. accounting programs), you as a data controller must ensure that they also comply with the requirements. For example, if you have linked EasyPractice to an accounting system, we ensure that you transfer data over an encrypted connection, but you as a data controller are responsible for the other system you are using complying with the requirements for storage of personal data.

Should I – as a processor – do something myself?

Yes. You must investigate whether the other programs you use to process personal data comply with the requirements of the General Data Protection Regulation, and you must enter into data processing agreements with your various data processors.

Impact assessment

As a data controller, you have an obligation under the new General Data Protection Regulation to produce what is called an Impact assessment. An impact assessment is a description of the technologies / products you use that handle personal data and may include, among other things, an assessment of the risks for your clients in relation to being a client with you and what precautions and security measures you take in relation to the storage of personal data.

Should I – as a processor – do something myself?

Yes. You must prepare the impact assessment yourself. We can assist you with this, via our lawyer, if you contact us at contact@easypractice.net.

Notification duty regarding data breaches

With the new General Data Protection Regulation there is also a duty to inform the national personal data agency (i.e. the Danish Data Protection Agency in Denmark) about data breaches. This must be done within 72 hours after a data breach. As data processors, we are obliged to inform both our users and the Danish Data Protection Agency about a breach and we have ensured that we have a procedure for that in our company. Remember that as a data controller you are also required to disclose any data breaches.

Should I – as a processor – do something myself?

Yes. You must notify the Danish Data Protection Agency if you receive a notification from us about any data breach, but of course we will help you in the formulation of the notification so you do not have to worry about the technical aspects.

Documentation that the General Data Protection Regulation is being complied with

As a data controller, it is your responsibility that you have documentation showing that you comply with the General Data Protection Regulation. This means that you must have the correct documentation to show that data is processed correctly in the system you use. You can find documentation about personal data in EasyPractice.

Should I – as a processor – do something myself?

Yes. You must provide documentation to the Danish Data Protection Agency that you comply with the General Data Protection Regulation.

SSL security / encrypted communication

Secure communication from web browser to system (such as when editing journal entries or when a client books an appointment) is something that you as data controller should be aware of. A large proportion of the systems for keeping records, online booking and billing still do not use Secure Socket Layer (SSL) security. SSL is the small padlock you can see in the browser, such as with netbank or terapeutbooking.dk. If you are using a system today that does not have the small padlock, consider changing or alternatively contact your supplier and ensure that this is dealt with.

Should I – as a processor – do something myself?

No. EasyPractice automatically runs with SSL security.

Exchange of data between platforms (integrations, apps)

When using an online system such as for entering records or billing, it is often possible for the system to exchange data automatically with other platforms. It’s important that you, as a data controller, have an overview of the platforms you use and how they handle personal data. All integrations through EasyPractice run with SSL security (encrypted, secure communication) and thus we ensure that data cannot be “leaked” by integrating platforms.

Should I – as a processor – do something myself?

No. EasyPractice has set up secure communication (SSL) in all integrations.

Be ready by May 2018

The new General Data Protection Regulation – also known as GDPR – will come into effect on 25 May 2018. By then, Danish companies must be ready for the new rules. Make sure you use a platform where the General Data Protection Regulation is a focus. We continually ensure that personal data is handled correctly with EasyPractice. Contact us if you have any questions about this. You can create a free account and try out the platform at EasyPractice

Be ready by May 2018

The new General Data Protection Regulation – also known as GDPR – will come into effect on 25 May 2018. By then, Danish companies must be ready for the new rules. Make sure you use a platform where the General Data Protection Regulation is a focus. We continually ensure that personal data is handled correctly with EasyPractice. Contact us if you have any questions about this. You can create a free account and try out the platform at EasyPractice.net

macbook
Do you have any questions?

If you have questions you can always write to us at our email contact@easypractice.net. We are ready to help!

quotation mark

Amazing, manageable booking system that is easy to work with. We experience good service, great usability and a simple online booking system that our customers are very happy with. All in all, it’s a great experience working with EasyPractice, and we will certainly recommend it to others.

Anders Laun

Osteopath D.O. & Cert. Physiotherapist
www.osteocare.dk

Sign up for free

Easypractice handles SMS reminders, online booking, journals, and much more!

lock 100% encrypted communication through SSL (LetsEncrypt)