Your GDPR rescue guide.

I am sure you have heard a lot of terminology and ‘verbiage’ about data and the forthcoming GDPR. You are probably sick of it.

It’s arriving fast, and nothing’s going to stop it. What if you’re feeling a tad unprepared?

Here is our Private Practice Ninja Rescue Guide.

Fundamentally, you need to get your head around the concept of ‘Data’. So, in healthcare, there are two kinds of data that we are mostly concerned with…

There is personal data (e.g. your name, your address, your private insurance provider etc.) and also there is special category data. This used to be known as ‘sensitive‘ data and in a healthcare world, it looks like a patient’s diagnosis, their drug regime, and x-rays of their wonky toes.

In a nutshell, GDPR wants you to do 4 things…

Private practice Ninja helper  GDPR wants you to audit where you are processing your data.

That means how data flows within your practice and how it flows to people outside of your practice.

GDPR wants you to give a good reason for why you are controlling data. Many people think that the best valid reason that they can come up with, is that the ‘patient has given their consent’. Within the sphere of healthcare, there are better-defined reasons available to choose from that can benefit you as a clinician. (Find out more about this by dropping an email to

Private practice Ninja helper  GDPR wants you to review your tech ‘cybersecurity’.

This means what you are doing with your laptop, your email system and your secretary’s desktop. GDPR wants to know that your tech is secure enough, that in the event of any human error, you can demonstrate to the government’s Information Commissioners Office (the ICO), that you have put enough safeguards in place prior to any breach.

Having un-encrypted patient personal (or even worse, ‘Special Category’) data in systems such as ‘Dropbox’ (which has been hacked in the past) is a bad idea. So is emailing without encryption or the ability to limit the impact of human error by revoking access to data. It’s broadly equivalent to holding a clinic whilst under the influence of six double vodka and tonics. It’s plain stupid and if the ICO sees you’ve put nothing useful in place, get ready for the proverbial ton of bricks to hit you, should someone report a breach and you are investigated.

Another way of thinking about this, is to imagine you’ve put an envelope in the post: Picture yourself posting the letter into the letterbox and five minutes later you realise you have addressed it to the wrong person, just as you see the postie driving off with your letter in a van…

Using a well set up system such as ‘Egress Switch’, will enable you to stop the addressee reading the letter if you can get to it before them. Even if they have managed to rip open the metaphorical envelope (before you have realised what you’ve done), Egress keeps its beady eye on the addressee and spots whether or not they have opened and read it, or even tried to forward it.

This means you can then contact the addressee and say to them “I’m ever so sorry, please can you delete that email because I sent it in error”. Whilst this doesn’t actually stop the breach, it does show an audit trail within ‘Egress’, which you can then show to the ICO to demonstrate that you have done as much as humanly possible to contain the situation.

Private practice Ninja helper  GDPR legally requires you to document your data flows.

What the heck is a ‘data flow’?

Whether you’re moving patient letters via email, sending Dictaphone voice files, or entering clinic notes into a practice management system, these can all be considered as ‘data flows’. Each and every way data is flowing, must be documented. As a data controller, you also need to ensure that whoever is managing your data along the way (a.k.a. ‘data processors’) are also compliant with the GDPR. This needs to be documented, to show you’ve thought about this.

You also need to document your data breach policy’. Explicitly, you need to lay out how you are going to react if you ‘c**k up’. You have got seventy-two hours to report this to the ICO, and you need to have a documented process that you can show to somebody if they ask you for it.

In addition, you will need a ‘data privacy policy’ which tells your patients what you are doing with their data and how you keep it safe. This isn’t something that is supplied on demand – all your patients need to be able to access it without requesting it from you. Consider putting a link to a page on your website (where you place the policy), in your email signature.

It doesn’t end there…

Private practice Ninja helper  Finally, you need: A policy that lays out your ‘subject access request’.

This describes how you will deliver access to data, and what this really means is, that if ‘Mrs. Jones’ wants a copy of every scrap of data you have ever held about her, you need to be able to explain how she should go about requesting this. You’ll need a system, or a manual process, which enables you to effectively put your hands on the data and give it to her within thirty days.

Here is the really important part: If you are failing to take action on all of the above, you may be leaving yourself wide open to GDPR trolls – some of whom may actually be your patients.

Think this is extreme?

Have you ever had an officious patient whose joy in life was to create as much administrative hassle for you and your staff? Now they have the GDPR ‘big brother’ on their side.

The good news is, you can ‘prepare and protect’ to gain the upper hand, and by being GDPR savvy and compliant, any data breaches will be looked upon more kindly by the ICO. You are also far less likely to receive a fine than say a practice which has a minimal, or no GDPR preparation, in place.

The information commissioner has made it very clear that she wants Clinicians to be compliant from the date of the:

25th May 2018.

Should you tackle it yourself ? Or should you outsource?

Getting GDPR ship-shape takes hard preparation and can be tough (if not daunting), whilst you are in the day to day flux of trying to run your practice.

At Private Practice Ninja, we’re currently working with Clinicians to help them get the practical GDPR work done and dusted. Whether you are a Surgeon a Physio, Osteo or a Physician, we can help you.

We can relieve you of the heavy workload, by taking care of your tech GDPR compliance, so that you can get on with running your practice and feel confident that your GDPR requirements are all being sorted out.

The work typically takes up to the equivalent of three days of our time, whilst only requiring a handful of hours from you, based over four to five sessions. This means we can schedule the work around your clinic and home life. The best part is, the majority of it can be done remotely. We can literally take care of this, whilst you’re in the comfort of your own home or clinic. Sweet.

Like to discuss getting your GDPR compliance done and dusted?

Contact us directly here – or phone 07500 834894.


If you feel like your Private Practice needs help with gaining referrals, effective ways to work within social media, or you have questions about GDPR, then we’re here to help.

Together we can grow your Private Practice.

Get in touch!

We are waiting to help you gain more patients and boost your referrals



email or call us 0207 993 6425 http://www.instagram/privatepracticeninja