Privacy Regulation and Audiology (I)


Audiology Worldnews EUHA 2017
© Xesai -iStock

The General Data Protection Regulation (GDPR) is the EU’s new legislation to protect the personal data of EU citizens. A failure to meet the GDPR’s standards by 25th May 2018 could lead to fines of up to €20 million or 4% of your global annual turnover. Geoffrey Cooling guides us through the legislation, requirements and implications for audiology clinics and businesses.

A major business threat

While most of our focus has been on a changing market and changing technology, most of us within the profession seem to have missed one of the biggest threats to our industry ever. I know that I did until recently, and considering the lack of conversation about it, I would assume so did nearly everyone else. What am I speaking about, a new player, a new technology, a new internet strategy? No, it is a privacy regulation

Our lifeblood within this profession is returning customers and sales to people who didn’t buy first time. In order to make this happen, we need to be able to contact them. The GDPR ensures that if you do so without implicit permission, it could be fatal for your business.


In this the first of a couple of articles, I would like to introduce you to General Data Protection Regulation (GDPR) and explain why it could be devastating to your business if you don’t take action. GDPR is a new EU privacy regulation that was agreed in 2016 and will come into effect in 2018.

BREXIT probably won’t save you

While BREXIT is looming, it will, in fact, have little effect on GDPR in the short term. I believe that even if a full hard BREXIT happens, UK businesses will have to deal with GDPR, probably under a different name. The UK Government has championed the regulation and is expected to adopt it even if they completely separate from the EU.

Before I outline the act and what it means, I want to assure you that this regulation covers your business. It covers every business from a one-man show to a multi-national once they keep data on their customers.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Coming Your Way May 2018

As I said, the regulation was adopted on 27th April 2016. However, it becomes enforceable from 25 May 2018 after a two-year transition period. Unlike a directive, it does not require national governments to pass any enabling legislation and is thus directly legally binding and applicable.

The GDPR does not just cover data within the EU, it also covers the export of personal data outside the EU. The regulation was framed to give EU Citizens and residents control over their personal data. It is also designed to simplify the regulatory environment.

All Organisations

For all organisations of any size, it will mean establishing clear procedures around consent and having a legal basis for gathering data, especially in the digital world. It also means that consumers will have the right to ask for access to data held on them and have it changed or erased.

Ultimately, every business will need to reconsider how they communicate with customers, how they gather data and how they organise that data into an effective audit trail.

The Scope

The regulation applies if the data controller (that's you) or processor (Sycle, IPRO, Audidata etc, basically any customer data management system) or the data subject (person) is based in the EU. However, the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

Surprisingly some of the Patient management systems that we use every day are not GDPR compliant. Although I have no doubt that they are working towards it. In fact, the only two I am sure are compliant are the systems offered by Audidata and iPro. I plan to send a questionnaire to all of the Patient Management Software Providers to assess their readiness.

Defining personal data?

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address."

The Penalties

Under GDPR organizations in breach of the regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

There is a tiered approach to fines, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and the data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What Now?

Simply put, you seriously need to consider not just your handling of data. But also why you gather data. You also need to consider the security of any personal data collected. As I said, that includes paper records. This isn’t just about digital. The GDPR covers all records that include customer information. That means your Patient record cards, your customer lists, your Patient management systems, pretty much any record with their details on it.

Big Fines

If you are found to have breached the regulation, it will involve a pretty big fine. A fine big enough, to possibly put you out of business. Any breach could also lead to legal action from a consumer which could definitely destroy your business.

The UK privacy body has indicated that the regulation will come into effect in May, however, they want to work with businesses as opposed to hand out big fines. They say in the instance of a problem arising, if you work with them and show that you have at the least taken steps to meet the requirements they will be happy to deal with the issue in a more friendly manner.

Opt-In consent

In our daily jobs, we meet prospective customers, during that consultation we fill in a record card. Every record card is a mix of medical record and private information. It is implicitly understood that we will keep that record card on file. Implicit and in fact we have a legal duty to retain medical records. However, implicit understanding is no longer good enough. Implicit understanding is the basis of what is called an Opt Out system.

By that I mean they know we are keeping the record and if they don’t want us to, they need to tell us not to. The GDPR changes all of that, Opt Out is no longer acceptable, all data capture systems need to be Opt-In. So you need to get their explicit consent to record and keep the data.

However, and this is the crux for any commercial hearing healthcare organisation, that basis does not cover contacting a person for marketing purposes. While there are legal or even contractual basis for many things we do in the hearing healthcare profession, getting simple implicit consent is the easiest way to cover all bases. I for one, would not like to be the test case to set precedent for a five year new technology letter without implicit consent signed by the customer.

Providing Additional Information

Under the GDPR, to get consent, additional information must be communicated to individuals in advance of processing, such as the legal basis for processing the data, retention periods, the right of complaint where customers are unhappy with your implementation of any of these criteria, whether their data will be subject to automated decision making and their individual rights under the GDPR. The GDPR also requires that the information is provided in concise, easy to understand and clear language.

Clear Easy To Understand Language

In order for you to meet the requirements of using Customer Consent as a basis for Data Collection, you need to use clear unambiguous language to gain that consent. That language needs to explain why you are collecting the data and what you are going to do with it. The consent they give you needs to be auditable, so that means written consent that is filed and kept. If the consent is not auditable, you are not compliant. If the language you used to get the consent was not clear or did not cover every use case for the data, you are not compliant.

Data security and storage

Data security is perhaps not something that we consider in our business. I figure that many of us think that the management systems have it sorted and generally leave it at that. That can no longer be the case. We need to think clearly about data security and data access.

Noah can be secured with a password and different levels of access security for different users. I wonder how many of us use a secure password? How many of us actually set up different levels of users when we need to give access to receptionist staff or hearing healthcare assistants?

When we set up backups for Noah, do we make sure they are encrypted and secure? Do we store them securely on-site or off-site? If we use cloud storage for back up of Noah, we now need to make sure that it is a secure storage facility that is compliant with the regulations.

Are your patient record cards stored securely? Who has access to them and do they need access to them? If you regularly type up and send medical reports, do you make sure that the digital records of those reports are kept securely? Do you encrypt medical reports on your machine? If you keep hard copies are they kept securely?

After a patient has passed away, do you destroy their records? If so, how exactly do you do it? How long should you keep them for? How in fact should they be destroyed? Should they now be destroyed in a verifiable manner?

Patients right to access data

Under the GDPR a customer has more rights to access their data. I think this is something that we may not have considered. You need to ensure that you have procedures in place to cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

The rights for individuals under the GDPR include:

  • subject access
  • to have inaccuracies corrected
  • to have information erased
  • to object to direct marketing
  • to restrict the processing of their information
  • including automated decision-making
  • data portability

Right to forget

If a customer asks that you delete their data or destroy their data. Can we do it legally? If so, it needs to be undertaken in a verifiable manner, all of the data needs to be deleted, all of the records need to be destroyed. These are just a few of the considerations we need to cover. Unfortunately, we need to do it quite quickly. In the next article, I will outline more or less exactly what you need to start looking at and how you might achieve compliance.