GDPR requirements for Doctors, Physios and Osteos. Are you compliant?

Are you truly GDPR compliant?

Perhaps you think you might be, but you’re not 100% certain. Maybe you’ve hidden from it in the hopes that it’s all gone away.

The GDPR wasn’t ‘a date in the diary’. It’s something we are all legally obliged to be compliant with. If you are not, you are quite simply breaking the law. You might think that the ICO isn’t coming after you, but it goes way beyond whether or not you might be fined (unlikely, but definitely not impossible).

It can also really mess with your head and your working week.

Recently we have had a couple of clients contact us in a panic because of pi**ed off people who wanted to see their GDPR paperwork, which either wasn’t in place, was incomplete or inaccurate.

In other words, it only takes one officious, angry patient, who has a bit of legal savvy to start your very own GDPR nightmare. A nightmare that you don’t have time for because you have a diary full of other demanding patients. It can literally make you feel sick.

Being compliant is one way to ensure you can sleep better at night, and know that if a complaint is made, you can handle it.

How do you know if you are GDPR compliant?


Some of the areas we see people commonly getting wrong…

xYour Privacy Notice.

How did you construct yours?

Did you buy a generic template from the internet or fudge some copy naughtily whipped from other websites?

In Private Practice this particularly bad news.

Your Privacy Notice has got to contain many things, and a big chunk of those many things is how you use, move and store data. The only way you can document all of this is to carry out what’s called a Data Flow Audit. ICO. Guide to data protecting – How do we document our processing activities?

Buying an online template won’t cover this essential step. When we see people getting into trouble relating to their Privacy Notices, it’s usually because they’re missing vital documentation that would have been generated by their Data Flow Audit.


Which leads me onto…


xNot having a data processor to controller agreement in place.

Just about every clinician in Private Practice will need to be registered as a Data Controller with the ICO (Information Commissioner’s Office).

Please say you are or do this online immediately – it only costs around £40 per year.

If you’re handing over patient data to be processed by someone else (think medical transcription companies, email providers, Egress, data storage folk, medical software people etc.), then you must have an agreement in place. This is an agreement declaring that they are GDPR compliant in the way that they handle data. This is why a big hullabaloo blew up about transferring data to many transcription and admin companies overseas.

You need to be able to demonstrate you have documentation for each processor you work with.


This is totes obvious, but nearly every single client we’ve worked with had room for improvement here…


xNot ensuring your hardware is encrypted.

Got a Windows laptop? You will need to encrypt it with BitLocker.

Here’s the catch, you need to be using Windows 10 Pro, Education or Enterprise editions.

In other words, you have to upgrade from the Home edition.

You also need to have a Windows laptop with TPM capabilities (a.k.a. a ‘Trusted Platform Module’) as this is how the hardware can store decryption keys. If you don’t have a laptop or desktop with TPM capabilities, it makes it very tricky to run BitLocker.

Putting it another way, you almost certainly need a business level Windows laptop, and it’s a great excuse to treat yourself anyway.

Encryption is far easier on Mac technology with these simple steps…

Go to the Apple icon, find system preferences, then Security & Privacy, and then FileVault. Click on the little padlock symbol – it will invite you to unlock the padlock – then enter your password. Then click the ‘Turn on FireVault’ button. Don’t forget to lock the padlock again when you are done.

But it doesn’t end at laptops. If you’re using a portable Dictaphone, it needs to be encrypted – not all of them are, but a couple of examples are Olympus DS-3500 Digital Voice Recorder and the Olympus DS-7000 Digital Voice Recorder.


The final common mistake we see clinicians making is…


xNot having a Data Breach Policy.

Yep, you need one of those too – and it’s not the sort of thing you want to have to retrospectively invent in a hurry either.

This piece of documentation sets out what steps you will take in the event of a data breach (all breaches should be documented in a Data Breach Log by the way).

Within your Data Breach Policy, you should describe how you are going to contain the breach, and manage the incident going forwards, which includes talking about how you would assess the risk brought about by the breach, and whether you will be notifying the ICO about the breach.

If you know your GDPR documentation is letting you down (or is downright shameful).

In the run-up to the first GDPR anniversary (May 25th 2019), we’re declaring our own

‘GDPR amnesty’

For a limited time only, we can offer you help at a discounted rate!

Get GDPR Help

Don’t hesitate, we want you to be able to sleep well at night!




email or call us 0207 993 6425 http://www.instagram/privatepracticeninja