This is how doctors and alternative practitioners protect themselves from warnings under the new GDPR
On May 25th the General Data Protection Regulation (GDPR) in force. All companies must make their website compliant with data protection by this date. This also applies to therapists, doctors and naturopaths without restriction. In addition to the optimization of the internal processes, the requirements to be implemented also include the external presentation, such as the legally compliant design of the website. We asked attorney Brian Scheuch, an expert in data protection and internet law at the law firm Heidrich Rechtsanwälte, to pay particular attention to what needs to be considered.
Mr. Scheuch, can you as a layperson tell us what this new basic regulation actually means?
This is something of a revolution in data protection law. This is the first time we have a uniform data protection law in Europe that replaces all national law in the member states. The GDPR will enter into force across Europe on May 25, 2018. This is also intended to set an example for a strong protection of the data of the citizens, also against the rather weak law, for example in the USA.
Why was it implemented at all?
The aim of the General Data Protection Regulation is to establish a level of data protection that is the same across Europe. This was intended to eliminate existing distortions of competition, particularly in European countries that had relatively weak data protection. But the enforceability of data protection should also be improved by significantly higher fines.
Are there special aspects for doctors, therapists and naturopaths that they have to consider?
Yes, absolutely. These professional groups usually work with very sensitive personal data, such as health data. According to the GDPR, such data must be specially protected by technical organizational measures. In practice, this means, for example, that patient data should be stored as encrypted as possible and, if possible, not uploaded to cloud providers such as Dropbox without protection.
What do website operators have to consider?
In addition to the internal processes and the requirements for IT security, website operators should above all make sure that their company is externally compliant with data protection. In this area there are numerous obligations to inform users of the website about the processing of their data. The most important element is a data protection declaration adapted to the new requirements as the central element of the page. Such an explanation can now easily cover over 20 pages.
What could happen if you just do nothing?
As almost always, doing nothing is the worst solution. In the event of violations of the General Data Protection Regulation, the responsible authority, which is the data protection officer of the respective federal state, can impose a fine of up to 20 million euros or 4% of the group's worldwide sales, whichever is higher.
In addition, however, there are also expensive warnings from competitors or so-called warning associations. Websites with a missing or even incorrect data protection declaration can be found quickly using search engines. The past has shown in e-commerce in particular that a "warning wave" is rolling in regularly according to new legal regulations on information requirements. Such a warning not only costs money, but also a lot of time.
What exactly can website operators do? Do you offer help? What does this help include? What happens if a warning is still fluttering into the house?
According to the will of the legislator, the General Data Protection Regulation must be implemented by May 25, 2018. Those who are just starting to do this will find it difficult to manage given the size and complexity. In order to protect yourself against a possible warning from the competition, your own website should in any case be adapted to the General Data Protection Regulation. Among other things, we have created a GDPR website package that contains the most common sample texts for a legally compliant website. If necessary, we also advise and support companies and freelancers in the complete implementation of the GDPR. (sb)