GDPR- Can You Risk 4% Of Your Annual Turnover

GDPR- Can You Risk 4% Of Your Annual Turnover


The 25th of May 2018 will be the most significant day in EU data protection for 20 years. On this day the law will be changing how private clinics and other businesses handle the private information of patients and customers. It will be the increase in EU citizen’s rights to data privacy that has been 10 years in the pipeline.

What is GDPR, And what is all the fuss about?


The general data protection regulation (GDPR) was made by the EU to protect EU citizen’s rights to have their personal data protected and will replace and supersede the Data Protection Directive 95/46/EC.

Any breach of privacy under the new laws can entail a fine of up to 4% of your company/clinics annual turnover, which depending on how many you have it can be a substantial amount.

The financial aspects aside it can also taint your clinic’s reputation and affect the confidence that patients have in your profession.



What is personal data?

This is not just your basic details but contains information that a company can obtain digitally on a website and on order forms.

Personal data also consists of:

  • Insurance information-i.e Involvement in an accident
  • Online information – Email, Buying behavior, Social media data
  • Activity on your phone
  • Bank details, Paypal, Amazon and Credit history
  • Usernames passwords
  • Audio and video stored on clinic computers


How does this apply to me?

As a private, clinic you are now obliged under law to be more vigilant with patient data, while also being more transparent with the information. The patient will be able to access any information you have about them and also have a right to know how it will be handed and even who it will be sent to. Even if it is to be sent to other healthcare professionals.


The GDPR also tightens the regulations on sending marketing information, you can now no longer send marketing information without consent. Furthermore, the days of buying potential customer data for email marketing campaigns are over as legal action can pursue anyone sending emails without prior consent

The final important information to remember is that if there is any breach in personal information whether it’s an entire database being hacked or the incorrect letter being mailed to a client, it must report it to the information commissioner office within 72 hours.

What do I need to do to prepare my clinic for the GDPR.


  1. The first step would be to conduct a data audit to analyse how much data is held and how it is being processed and utilised.
  2. Create SOPs that will ensure that
  • There is greater transparency and the staff make it clear to patients how their data will be used
  • Document and show evidence all employees are following GDPR procedures when handling data.
  • Procedures for when data privacy is breached
  1. Designate a data protection officer



Digital Marketing expert