Blog
← Back to Blog
April 20, 2018 legal

GDPR Takes Effect in 35 Days. Does It Affect Your Practice?

Privacy regulation and compliance documents European Union data protection and global privacy

On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) takes effect. It's the most comprehensive data privacy regulation ever enacted, and it carries fines of up to 4% of global annual revenue or 20 million euros, whichever is greater.

If you're a dental practice in Peoria, Arizona, you might think this doesn't apply to you. You're probably right. But "probably" isn't "definitely," and either way, GDPR signals where US privacy regulation is heading.

Does GDPR Apply to Your Practice?

GDPR applies to any organization that:

  • Is established in the EU, OR
  • Offers goods or services to individuals in the EU, OR
  • Monitors the behavior of individuals in the EU

For most US dental, medical, and legal practices, the answer is no. You serve local patients and clients. You don't market to Europeans. You're not monitoring EU citizens' behavior.

But consider these scenarios:

  • Your practice website collects email addresses for a newsletter, and some subscribers are in the EU
  • You treat tourists or temporary residents from EU countries
  • Your website uses Google Analytics, Facebook pixels, or cookies that track visitors from the EU
  • You're a law firm that handles international matters involving EU citizens

If any of these apply, you may have GDPR obligations. The regulation is intentionally broad in its reach.

GDPR's Key Principles (And Why They Matter Even If You're Not Covered)

Consent Must Be Clear and Affirmative

Pre-checked boxes, buried terms of service, and "by using this site you agree to everything" are not valid consent under GDPR. Consent must be freely given, specific, informed, and unambiguous. This is a good standard for any business, regardless of jurisdiction.

Data Minimization

Collect only what you need for a specific, stated purpose. Don't collect data "just in case" or because it might be useful someday. This aligns with HIPAA's minimum necessary standard and is simply good data hygiene.

Right to Access and Deletion

Individuals can request copies of their data and, in many cases, request that their data be deleted. Sound familiar? HIPAA's Right of Access provisions mirror this concept. Practices that comply with HIPAA are already partway to GDPR compliance.

Breach Notification in 72 Hours

GDPR requires breach notification to the supervisory authority within 72 hours and to affected individuals "without undue delay." Compare this to HIPAA's 60-day window. The trend is toward faster disclosure requirements.

Privacy by Design

Data protection should be built into systems and processes from the start, not bolted on afterward. This means considering privacy implications when choosing software, designing workflows, and configuring systems.

What US Regulation Is Coming

GDPR is setting the template. In the US:

  • California is drafting comprehensive privacy legislation (the California Consumer Privacy Act is in development)
  • Several other states are considering similar bills
  • Congress is holding hearings on federal privacy legislation, accelerated by the Cambridge Analytica scandal
  • Industry-specific regulations (HIPAA, GLBA, etc.) are being reviewed for adequacy

Practices that adopt privacy-forward practices now will be ahead of the compliance curve when US regulations catch up.

Practical Steps

  1. Review your website. Update your privacy policy. If you use cookies or analytics, add proper consent mechanisms. Install an SSL certificate if you haven't already.
  2. Audit your data collection. What data do you collect from patients, website visitors, and newsletter subscribers? Is all of it necessary?
  3. Review vendor agreements. Your vendors (cloud services, email marketing, analytics) may need to update their practices for GDPR. Make sure your vendors are compliant if they handle data that might include EU residents.
  4. Update your breach response plan. Even under current US law, faster notification is the trend. Practice responding quickly.

GDPR is the future of data privacy regulation. Even if it doesn't apply to you today, its principles will shape the laws that apply to you tomorrow.