DenGro, GDPR and your practice

GDPR in a nutshell.

GDPR is simply consumer data protection. It’s not new; in fact legislation around the use of our data has been around for a while, but this change is a big one with potentially hefty fines for breaching compliance. The updates are being made in response to our ever increasing digital world, creating more robust regulations, so it’s important to have the lowdown.

GDPR exists to protect everyone’s personal data, and updates to this legislation affect all businesses that handle data for EU citizens. ‘Data’ refers to any information collected about a person. For example, any instance in which a person fills out a web form, requests a call back or signs up to a mailing list, they pass on their personal information to that business. So, as a dental practice with a database of patients and potential patients, GDPR directly applies to how you manage this kind of personal data (such as email addresses, telephone numbers, dates of birth, treatment notes, photographs, etc.).

You. As a dental practice you are a Data Controller. You own, store and are responsible for data about your patients, and those who may be interested in treatment (your leads).

DenGro. As a tool that helps you manage and process data about your leads, DenGro is a Data Processor. DenGro does not own the data.

Your practice responsibilities.

As a dental practice, you are a Data Controller (in GDPR lingo), which means that you own and control information about your patients, as well as data for those who may be interested in treatment. In terms of the updated legislation, this means that there are three main areas that need your attention:

1. A lawful basis to hold data.
2. Your existing leads.
3. View, amend and delete requests.

1. Lawful basis for holding data

You can process data provided you have a lawful basis for doing so, as defined by the ICO.

We recommend you seek professional legal advice as the relevant legal basis will vary across different practices, and could vary for example if you are capturing leads for new or existing patients.

You may want to rely on gaining consent at the point you capture data using opt in fields. Opting in should be clear and transparent, with no long words or jargon, and it must be clearly logged.

If you take this approach, it is important that consent is captured irrespective of the channel of communication that they reach you by. So, you may wish to review your telephone scripts to include a request for consent in preparation for when a new lead calls the practice directly.

How DenGro is helping you with consent

Our aim with DenGro has always been to make your practice life simpler, so we’ve made a few changes to help you stay on the right side of GDPR* with minimum hassle.

• When filling in a form on your website the lead could tick a consent box in order to confirm that they are happy to share their personal data, and to submit their enquiry to you via DenGro. For more generic marketing activities, we recommend you add another (optional) checkbox as well.

• We can provide you with the details required to capture consent, and we can also supply you with pre-written consent wording that you can drop straight in, should you need it (you can modify this to make it personal to your practice).

• When you manually enter a new lead into DenGro, you’ll be able to document any consent you have gained. Using your team members’ login, DenGro can record who in your practice has recorded the consent too, and so keep a nice neat audit trail. This also acts as a helpful reminder for your team that consent should be recorded, if this is relevant to your practice.

• Within DenGro, you’ll also be able to clearly see what consent has been documented for a particular lead, so it should always be clear what you are allowed to do with the data.

*As the Data Controller, the responsibility for gaining consent to process personal data lies with you. This isn’t new; it’s detailed in the Subscription Terms and Terms of Use accepted when signing up and first accessing DenGro.

2. Existing leads in DenGro

So, what about all your existing leads? if you're relying on consent as your legal basis, it’s possible that you don’t have consent documented for historical leads, so it’s important that you consider how to take action to ensure data for existing leads is GDPR compliant. We’re not legal specialists, but if you want to get started, two options might be:

1. Delete all leads which don’t have documented consent.
2. Choose a reasonable period of time for leads to either proactively confirm that they are proceeding with treatment or are not interested, then request consent or delete their details respectively.

If you have an alternative legal basis to keep data, you can obviously rely on that too.

3. Individuals’ rights to view, amend or delete personal data

Individuals have more extensive rights to view the data you store about them, and require that you amend or completely delete that information at their request.

Your Privacy Policy should be updated to reflect this in line with the GDPR. You may also want to notify your existing leads of your revised policy, with a link to where they can find it on your website.

Your practice may receive requests to view, amend or delete personal data. For new leads, DenGro automations (emails and SMS messages) will have a link where the lead can manage their contact preferences.

You can action data requests using DenGro by completing one of the following actions:

• View. Export data straight from the lead detail page in DenGro, ready to send to your lead as a .CSV file.
• Amend. Changes to data can be made directly in DenGro (you can also then export and send the amended details).
• Delete. Should you ever receive a delete request from a lead directly, you can easily delete all their data within DenGro. If we receive a request to remove consent, we’ll display it on your dashboard, where you can remove the data in DenGro at the click of a button. (You’ll potentially need to remove that lead’s data from other places you’ve stored it too.)

Continuing to support you with secure data capture.

Our DenGro team come up with solutions everyday to make your practice life easier. Some of our upcoming developments will not only help you capture lead data, but also manage it more securely.

Build your own data capture forms

Pretty soon, you’ll be able to create a data capture form for your website or landing pages from within DenGro. These forms capture data from someone interested in your practice or a particular treatment. You’ll be able to customise the forms, and add them to your website or landing pages with a single line of HTML.

On these forms will be an area for you to link to your Privacy Policy, as well as the relevant consent box by which your lead can ‘opt in’ if that's relevant for you.

General enquiries

DenGro will also soon be updated to assist you in capturing general enquiries more securely. This means that when you receive a general enquiry it will be stored in DenGro, where the person’s message and details will be held securely until reviewed. You will able to choose to treat the enquiry as a lead, or to review it and archive it when it’s been dealt with accordingly, saving you from receiving lead data from unsecure emails.

Practice referrals

Capture of patient referrals is also a new feature on the horizon. When a referral heads into DenGro from another practice, you’ll be given the option to accept or reject it. If you click ‘Accept’, you’ll be prompted to add consent. You’ll need to complete this step in order for their details to go into DenGro as a new lead, or to review their details and archive the task when you’ve dealt with it. If you reject a referral, DenGro will automatically remove the data.

Read more about GDPR.

DenGro is dedicated to simplifying your practice lead management, which is why we’ve made these changes to assist your practice with GDPR compliance. However, we’re not lawyers, and GDPR applies to the way your practice as a whole manages people’s data. We’ve updated DenGro to continue to make lead management as easy for you as possible, but you’ll need to consider areas not covered by DenGro, and make sure you’re up to date with any developments.

For example:

Privacy Policy. You must ensure that you’ve got an up-to-date Privacy Policy, which is accessible if requested. The policy should cover both data stored in DenGro and any other systems your practice use. Your Privacy Policy should be clear and available on any website or landing pages where you capture data.

Data awareness. If you receive data without explicit consent, it is your responsibility to make sure you handle this in a lawful manner.

Children under 16. Parental consent is required for any data stored for children under the age of 16. We haven’t designed DenGro to market to the under 16 market, and our terms and conditions reflect this.

Becoming practice compliant with GDPR may also mean getting in contact with other service providers you use, to see how they are responding to legislation changes and how it affects you.

If you want to know more about GDPR and brush up on your data protection knowledge, we’ve listed a few resources here which you might find useful.

Useful links:

The Information Commissioner’s Office has a number of online resources:

The ICO Guide to GDPR. The ICO Data Protection Toolkit. 12 steps to prepare for GDPR.

IT Governance offers recommended books, training, plans, privacy notes, and procedures. Quick wins to demonstrate GDPR compliance.

*Don’t forget that GDPR applies to the whole of your business. This page offers you information on our DenGro updates, but you will need to consider how the legislation affects your business as a whole. You can do this by consulting with a specialist or using a Data Protection Assessment Toolkit.