General Data Protection Regulation (GDPR) and Power Diary
What is the GDPR?
The General Data Protection Regulation (GDPR) is legislation (i.e. a set of laws) regarding privacy and data protection for the European Union (EU). It was approved by the European Commission in 2016 and has been in effect since May 2018.
The purpose of this legislation is to improve the privacy of citizens residing in the EU by giving them greater control over the data that companies and organisations collect about them.
The GDPR gives EU citizens rights such as:
- The ability to easily access data of oneself.
- The obligation of an organisation or company to ask permission before collecting data.
- The right to get a copy of one’s data – and if necessary, the right to completely erase it.
Enforcing these (and many other) rights related to privacy is what the GDPR is all about.
Who exactly does the GDPR affect?
The rules of the GDPR apply to all companies and organisations around the world that collect personal data of users/customers residing in the European Union. This means if your patients/clients are located in the EU whose data you collect, you are subject to the GDPR regardless of whether you reside in the EU or not.
What is ‘Personal Data’?
The EUGDPR defines personal data as:
‘Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.’
In short, any information a company or organisation collects which can be used to identify a person – either directly or indirectly – falls within the category of personal data. This can be something like a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address etc.
Does Power Diary comply with the GDPR?
The GDPR encourages companies and organisations to use the ‘Privacy by Design’ approach – wherein products and services are designed with privacy in mind right from the beginning.
We at Power Diary have been using this approach long before the GDPR’s recommendation.
Power Diary’s primary purpose is to help you effectively manage your own (and your clients’) personal information. Therefore, right from the start, Power Diary was designed with privacy and security in mind so that our users’ data remains secure.
How does Power Diary help you comply with the GDPR?
The GDPR raises the stakes by imposing fines to any company or organisation that fails to comply with the GDPR. In addition to Power Diary’s robust security systems we added features to further assist you to meet your GDPR obligations as follows:
Right To Access and Data Portability
As per the rules of the GDPR, your clients/patients have the right to request you provide them a copy of the data you’ve collected relating to them.
To assist you meet any such requests we added a ‘Single Client Data Export’ function. This feature enables you to generate a copy of a specific client’s personal data that resides in your Power Diary account.
Right to be Forgotten
Under the GDPR, your clients / patients have the right to request that you delete all copies of personal data you’ve collected on them.
In response to this, we added a function to Power Diary called ‘Delete Client’. This permanently removes all data in relation to that client from your Power Diary account.
(It’s important to note that a client’s request for you to delete their Personal Information under the GDPR does not necessarily mean you should comply with this request. Health professionals in most jurisdictions are legally obligated to keep health records for certain periods of time. The GDPR does not automatically negate these obligations and if in doubt you should seek legal advice before deleting client records.)
The GDPR states that a company/organisation is obligated to ask for consent before collecting their clients’ personal data. It also states that the client has the right to revoke that consent at any time.
Power Diary assists you with this in the following ways:
1) Consent is asked on the Client Portal: Power Diary enables you to automatically ask consent from your existing clients regarding data collection. This is done through customisable ‘terms and conditions’ which display (and which clients have to agree to) when registering and booking appointments online via your Client Portal.
2) Consent Status is shown on the Client Record: A new field has been added to the ‘Client Record’ which allows you to indicate whether a client has given you or revoked their consent to record, access and use their personal data. The system will also indicate if consent has not yet been requested enabling you to identify any clients that require follow up in relation to this.
We care about you – and the GDPR
For us, nothing matters more than ensuring that your data is safe and secure. In addition, we also ensure that Power Diary manages the Personal Information of our customers (that’s you) in a manner that complies with our obligations under the GDPR.
With this in mind, we appointed a Data Protection Officer (DPO). Their role within Power Diary is to ensure we are follow best practices when it comes to data protection and privacy – and of course – that we remain compliant with our current and any future GDPR obligations.
We’re here to help you. If you have any additional questions regarding the GDPR and Power Diary, please don’t hesitate to reach out to us.