No dental clinic can operate without processing personal data. Personal data of patients and employees is processed on a daily basis. Dental clinics also use a large amount of data related to their patients health, which according to the General Data Protection Regulation (GDPR) is a special category of personal data. Processing special categories of personal data means that stricter rules and stronger security measures must be applied.
Data protection to-do list for dental clinics.
In order for dental clinics to meet data protection requirements
- An audit must be conducted to create an overview of the data processing that takes place in the company. During the audit, possible risks are defined, and proposals are made for mitigating the risks.
- An overview of the processing activities must be put together. All processors of personal data have a duty to record all data processing activities where personal data is processed.
- Privacy policy must be drawn up and published. A publicly available policy helps patients, as well as employees and website visitors, understand what data is collect and why. The obligation to make such information available comes from the law and shows that you respect the privacy of your patients and employees.
- A register of breaches must be created. All personal data breaches must be recorded in a register. Depending on the nature of the breach, the local supervisory authority, and the people whose privacy was compromised must be notified of the breach.
When to get a data protection specialist?
A data protection specialist advises the company on data protection issues. I recommend involving a specialist as soon as possible. Data protection requirements apply to all dental clinics, regardless of their client base, number of employees or financial turnover. It is worth asking advice from a data protection specialist if you need a better understanding of the general principles of data protection or if you need an initial risk assessment.
A separate topic is the obligation to appoint a data protection specialist in the Estonian Business Register. The Estonian Data Protection Inspectorate recommends that all dental clinics with more than 5,000 patients should appoint a data protection specialist in the Business Register, but the requirements for personal data protection apply to all dental clinics, regardless of the number of patients. Therefore, if you have not paid attention to data protection and if you do not feel particularly enthusiastic about this topic, I recommend consulting a specialist as soon as possible.
Data protection specialist – as a service or hired in-house specialist?
The data protection specialist works closely with the company’s executive management, but to avoid a conflict of interest, they should not be part of the management themselves. A data protection specialist can be an employee, or you can just purchase data protection as a service from another company.
When hiring a data protection specialist, it should be considered that it takes a highly qualified employee whose salary request may be quite high.
When appointing an employee as a data protection specialist, it must be considered that ensuring compliance with data protection requirements can be very time-consuming, and the employee needs extensive training beforehand.
When purchasing data protection as a service, you must be honest with the service provider. To protect personal data and avoid violations and fines, real compliance with the principles of data protection is needed. It is not enough to just get some papers in order and hope for the best.
Medata helps you to create an overview of personal data processing in your organization and manage related risks.
If you feel that you need additional advice on personal data protection, please contact info@medata.ee.
Hanna Kriiska
Data protection expert