Navigating GDPR Compliance In Client-Led Buisnesses
Best Practices for Client Managment
Disclaimer: First off, I have a background in clinical trial management (several years) and I have (over) a decade of working in a medical field where patient-related involvement and GDPR practises have been ingrained in my soul… Please note that while this information aims to be helpful, it is not legal advice. Always consult with a legal professional with GDPR or other data protection practices.
If your a health coach, doula or other client-led small business, maintaining the confidentiality and security of your clients' personal information is not just a matter of professional integrity—it's a legal imperative. In today's digital world, where personal data is as valuable as currency, stringent regulations like the General Data Protection Regulation (GDPR) set the standard for data privacy and protection. Understanding and complying with these regulations ensures that your business not only respects client privacy but also avoids hefty fines and legal issues (yes, billions of fines have been issued -so it’s worth getting this right!)..
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union (EU). It's designed to give individuals, referred to as "data subjects," more control over their personal data. Under GDPR, personal data includes any information that can directly or indirectly identify a person, such as:
- Names
- Photos
- Email Addresses
- Home Address
- Medical / Health information
- Basically Anything identifiable (even IP Addresses!)
GDPR Worldwide: EU, US, Canada, and Beyond
While GDPR is an EU regulation, its reach is global. It applies to any organization, anywhere in the world, that processes the personal data of EU residents. In the US, there isn't a federal law that's equivalent to GDPR, but there are state-specific laws such as the California Consumer Privacy Act (CCPA) that share similarities. Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) sets its own standards for data protection, with a focus on consent, reasonability, and individuals' rights to access their personal information.
Countries around the world are increasingly adopting data protection regulations that reflect GDPR principles, recognizing the importance of data privacy in the digital landscape. If you have a virtual health and wellbeing related service (health coach or doula) and you are working either locally or internationally or with clients from different countries/states, you must navigate an intricate web of data protection laws.
A Step-by-Step Basic Approach to GDPR Compliance
1. Understand Your Data: Know what kind of data you collect and how your going to use it - who else might have access to it?
2. Handling the information you get: First, establish a legal basis for handling personal data, such as obtaining explicit consent from your clients (for exampple: signed confidentiality with a GDRP statement). If the use of their information that you have is going to change (for example: publishing their story which includes their health background on social media for a testimonial), then you are going to need to create a doument or a paper trail of obtaining their consent for this too.
3. Data Minimization: Collect only what's necessary. The less data you have, the less you have to protect! This means only collecting the minimum ammount of information that you need to deliver your services effectively.
4. Secure Your Data: What security measures do you have in place? Does your devices (with client information on) include encryption, firewalls, and secure data storage to protect against data breaches?
5. "Data Subject" Rights: Familiarize yourself with the rights of individuals under GDPR, including access to their data, the right to rectification, the right to be forgotten, and more. For example, in your paperwork you might want to consider including a section on how long their information will be kept for and when it will be destroyed.
6. Data Protection Impact Assessment (DPIA): Basically this is a risk assesment. Identify any high-risk processing activities to identify and mitigate data protection risks. For example, you have a paper form of the health questionnaire, service and confidentiality agreement.... but what if you leave it in the coffee shop where you had an in-person meeting with your client? What if it is lost in transportation? That is a lot of information that is now publically available - this is an example of what a breach looks like. How can you mitigate this risk? Can you use a digital copy only? Can you ensure that you have a scanned copy securely stored for back-up of your GDPR paper trail? Loosing consent or an agreement, means that you have to issue new ones to be signed to your client (a paper trail is imperative). Protect yourself and have a copy stored safely and securely. Have a protocol in place of how you manage the high risk data procesing events.
7. Awareness: Ensure that everyone who helps you (e.g. a back-up doula or a third party business) involved understands their role in maintaining GDPR compliance. There are GDPR trainings out there.
8. Data Processing Agreements (DPAs): Have DPAs in place with any third parties that process personal data on your behalf. For example, do you have an agreement with your back up doula? An agreement should also specify GDPR related best practises.
9. Breach Notification: Have a plan for any data breach that occurs. For example, you are requesting advice or support from a local third party service and personal information of a client is shared, or you accidentally send over the personal information of a client to the wrong email address (social media, a friend, a family member, a service etc)…. you need to record what happened somewhere and reach out to the person that now has accidentally obtained this infomration and ask them to destroy evidence of this (maintain a record of how you contained the breach)...
10. Documentation: Keep a record of where data is being held, when things get migrated to, or destroyed as evidence of GDPR compliance.
Resource Lists
To ensure a data secure system, invest in software/systems that are designed with privacy and security. These should include end-to-end encryption, secure data storage, and regular security updates to protect against the latest threats. Look for systems that are specifically compliant with GDPR (and other relevant data protection laws locally).
Here are some resources that can help you understand and implement a secure system:
Information Commissioner's Office (ICO): The ICO is the UK's independent body set up to uphold information rights and data privacy for individuals. Their website offers extensive guidance on GDPR compliance.
Website: https://ico.org.uk/
Office of the Privacy Commissioner of Canada (OPC): The OPC provides guidance on complying with PIPEDA and understanding privacy rights.
Website: https://www.priv.gc.ca/en/
U.S. Department of Health & Human Services (HHS): For health-specific data protection in the U.S., the HHS offers resources on the Health Insurance Portability and Accountability Act (HIPAA), which can be relevant for health coaches and doulas handling health information.
Website: https://www.hhs.gov/hipaa/index.html
European Data Protection Board (EDPB): The EDPB is an EU body that contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities.
Website: https://edpb.europa.eu/
Client Confidentiality Agreement
A client confidentiality agreement is crucial for any client related business. This agreement should clearly outline how you will use, store, and protect your client's data, and how you will comply with GDPR and other data protection laws. It should also detail the rights of the client regarding their personal data (e.g. they can request that all information that they have shared with you is destroyed / not stored / not shared with any third party). Ensure that a legal professional review your confidentiality agreement to make sure it's compliant.
Statistics you need to know about…
I am not trying to put the fear of God in you, the statistics I am about to share with you are very real - so its important to get this right!
In 2023, GDPR fines reached over €1.5 billion since the regulation was enforced. Data breaches in the healthcare sector especially are among the highest costs, with an average cost of $7.13 million per breach according to a 2020 report by IBM Security. A survey by Cisco showed that 84% of consumers want more control over how their data is being used.
Remember, GDPR compliance is not just about avoiding fines; it's about building trust with your clients.
By demonstrating that you take data privacy seriously, you can enhance your credibility and establish yourself as a professional who values and protects client information.
Please note that while this information aims to be helpful, it is not legal advice. Always consult with a legal professional when implementing GDPR or other data protection practices in your business.
Empowering your voice in quality of life businesses. Where science meets creativity.
sian@nurture-preneur.com
Quick links
Blogs
Newsletter
Subscribe now to get daily updates.
Created with © systeme.io
