GDPR for doctors: What you need to know if you collect any personal data online

By now, you’ve no doubt heard about the GDPR – which stands for the General Data Protection Regulations). The regulations take effect on May 25th, 2018 and the countdown is on…


Disclaimer: This article provides general information and does not substitute for legal advice. We mainly wrote this article with doctors in mind, but the information contained herein applies to anyone collecting personal data from prospective customers and indeed, customers.

Who is affected by GDPR?

The new GDPR goes into effect soon, and it applies to every business established in the EU and any business that handles the personal information of “data subjects” in the EU, wherever in the world they reside or what citizenship they hold. 

So, yes, that’s pretty much every EU-based doctor that has a website that collects personal data like names, e-mail addresses, phone numbers and even IP addresses through tools like Google Analytics. The Information Commissioner’s Office requires you to comply if you’re handling health data, the ICO further considers this personal information as “sensitive data”.

For British-based businesses, there’s no Brexit “get-out-of-jail” card. Doctors in the UK will need to comply with these regulations because the UK wants to ensure a free data transfer flow into the rest of Europe, so we have to have the same standards of data protection as they do in Europe.

What are the consequences of not complying with GDPR?

Anyone not complying with GDPR can be fined up to €20 million or 4% of your worldwide turnover for the last 12 months (whichever one is greater). That’s the factoid you’ve probably heard about most.

Is that likely to happen to a small business or an independent doctor? It’s unlikely. First, no GDPR police will visit your website on May 26th demanding you comply. Instead, they’ll follow up with businesses that receive the most complaints. These are most likely to be marketers with the most significant audiences and the most prominent breach potentials.

Should you ignore these rules you run the risk, at the very least, of damaging your reputation if anyone cares to notice and ask:  “Don’t you care about privacy?”

Besides, the regulatory trend is without a doubt moving in the direction of protecting the commercial use of personal data right now. Embrace these changes, and you’ll be well prepared to thrive in the coming regulatory environment, wherever you primarily do business.

On the positive side, you can use GDPR as an opportunity to show you are trustworthy with personal data which every prospective patient wants their doctor to be.

Furthermore, you must also ensure you are dealing with GDPR compliant data processors (like marketing agencies) and sub-processors (like social media or review sites) because, if your data processor misuses the information, YOU, as the data controller, is responsible.

You should only allow processors to handle your data with whom you have data processing agreements (like you would have with us if you were our client).

Should you panic about GDPR?

No. The rules are confusing, and the penalties are harsh, but with the right tools and actions, doing what you need to do isn’t intellectually challenging. It does, however, require time and attention to detail.

Want us to get you GDPR compliant as soon as possible?


Schedule a free call with us to discuss your needs and we’ll either offer you our “Do-it-for-you” GDPR compliance package or refer you to a legal expert.

Start here

So, what do you need to do for GDPR?

We’ve investigated this issue from the digital marketing perspective for months because we are digital marketers and we wish to help our clients comply with these regulations.

That said, however, we’re not lawyers so we cannot and do not give legal advice. Secondly, we limit the scope of the compliance services we provide to the digital marketing arena. There may be more you need to do offline, but the general principles still apply.

You can break down what you need to do by looking at the data you’ve collected in the past and the data you intend to collect in the future:

Regarding personal data you’ve obtained in the past

First, what’s meant by personal data? According to the ICO:

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

In non-legalese: Personal data refers to names, phone numbers, e-mails, comments, questions, and even IP addresses and other digital data that tools like Google Analytics collects in the background. This data remains personal data, regardless of what you did with it (even if you never sent anyone any e-mail or called anyone back). Just storing this data requires your compliance to the GDPR.

If the email address is [email protected], [email protected], etc. it’s not personal data because you cannot identify people with such email addresses. Furthermore, if you do business with businesses, sole-traders and partnerships, these count as individuals and therefore are affected by GDPR.

First, you’ll need to:

  • Audit and document any personal data you have collected and log where it came from and with whom you share it.
  • Review and document the legal basis for the processing of data (there are six legal bases for data processing which you can learn more about on the ICO site).
  • Prepare and e-mail a re-engagement campaign to existing list members and get them to give you fresh consent to the GDPR standard to market to them.

Regarding personal data that you intend to collect in the future

You’ll need to

  • Add opt-in wording for explicit, affirmative and granular consent on all online forms. “The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.”
  • Opt-in language must be transparent and easy to understand (a good test is to show it to an 8-year old, if they know what you’ve written, then you’re likely safe).
  • You must keep a record of this consent.
  • Update or add a privacy notice to your website (where you explicitly tell people they can withdraw their consent for their data to be processed, among other things).
  • Update or add a cookie policy to your website.
  • Ensure data processors are compliant with GDPR (ideally with a Data Processor Agreement).

In a nutshell, that’s your GDPR to-do list.

GDPR sounds like a lot of work, doesn’t it?

It does. And it’s new work that is unlikely to be part of a new website build because the web developer is likely not interested in how you’ve collected data in the past and what to do with it now. Furthermore, much of the detail regarding what you need to have in place has only come to light recently as legal experts translate the legalese into actionable steps businesspeople can take.

We estimate that in most cases doing all of this will take at least 12 hours of work, and that assumes you have templates you can readily adapt. We approached lawyers to help us quote this work, and we received estimates of as high as £5000.

So, what are your options regarding GDPR compliance?

Option 1 – Do nothing

The least attractive option. At the very least, you must show you are at least taking an interest in your user’s data and making an effort to protect it. Should you ever have a data breach or a slew of complaints, the ICO will not look favourably on negligence.

Option 2 – Stop marketing online!

That’s an undesirable option. There is no need to stop collecting and processing personal information; you merely have to do it correctly. And correctly doing so isn’t that difficult. Ceasing marketing activities because of GDPR is counter-productive to your aims as a business and its an over-reaction to regulations that will likely only become more strict over time.

Furthermore, stopping marketing activity does not save you from taking actions towards becoming GDPR compliant because “Processing” includes storing personal data, not solely collecting it in the future.

Option 3 – Prepare for GDPR yourself

That is a viable option! Provided you have the time and the ability to make all of the above updates. Furthermore, we can direct you to templates provided by a 20-year qualified lawyer from the UK. Suzanne Dibble, the author, is a data protection lawyer, who knows what GDPR is all about. She also understands digital marketing and has the most significant group on Facebook, at the moment, about GDPR.

Suzanne also provides a GDPR Pack, which is a collection of over 20 vital templates you can use to get compliant. The package is an astonishing bargain at £197 [affiliate link], and it comes with a two-hour long training video you can watch to get your head around the details. Mind you, you’ll need to do everything yourself, but should you get stuck the Facebook Group is helpful, and Suzanne can provide 1-to-1 legal advice for your specific circumstances at the rate of £300/hour.

Option 4 – Let us get your digital marketing GDPR compliant

The most straightforward choice by far. We’ll buy Suzanne’s GDPR kit on your behalf (this is necessary because we do not own the copyright) and then carry out all of the steps we mentioned above to deal with your past data and prepare you to collect data after May 25th (assuming you give us the go-ahead in time!)

Should you have any special requests or specific legal advice requirements that exceed the scope of these services, we’ll refer you to Suzanne for additional help.

Doctors can consider GDPR an opportunity to build trust

Privacy and data protection may feel like a time-consuming nuisance, but it is in everyone’s interest. Further, by asking your list to give you fresh consent you can:

  • Better target your marketing to those who wish to remain engaged
  • Improve deliverability and engagement in the future
  • Gain a competitive advantage by being accountable for data protection. Many of your colleagues may not be remotely concerned about GDPR, and this is an opportunity for you to stand out as a service provider that is up to date with how one does business in the 21st century.

In the wise words of the legendary marketer Seth Godin:

“The noise will go down, and the trust will go up…

Talk to people who want to be talked to. Market to people who want to be marketed to. Because anticipated, personal and relevant messages will always outperform spam. And spam is in the eye of the recipient.

In two simple words: Ask First.”

Want us to get you GDPR compliant as soon as possible?


Schedule a free call with us to discuss your needs and we’ll either offer you our “Do-it-for-you” GDPR compliance package or refer you to a legal expert.

Start here