The General Data Protection Regulation or GDPR requires you to choose one of six bases or grounds under which you process data.
The choice of which is most appropriate to use can be difficult, and it is one of the considerations of becoming GDPR compliant that we have found most business owners struggle with the most.
Two things to note before you decide which grounds are suitable relate to what data is covered by the new law, and what you use it for.
When you consider what data, GDPR only applies to personal information, not data about businesses, or people you deal with in a business to business relationship. For your therapy business, you’ll need to comply with GDPR primarily for client and employee data.
When you are considering how you use data, the term “processing” means acting on the data in any way. It includes use, but processing also includes storage, sharing, transfer and even erasure.
Of the six grounds, you should be able to rule out using two quickly.
Public Task can only be used in the exercise of official authority (public functions and powers), or to perform a specific task in the public interest, where these are set out by law.
Vital Interests can only be used where processing is the only way of protecting someone’s life and the individual at risk cannot give or refuse consent.
Public Task is intended to be used primarily by governmental organisations. Vital Interests is more suitable for emergency medical care.
That leaves four remaining grounds.
If you form a legal contract with your patients (if consultations are paid for), then you can process the data needed to carry out your side of the deal under the ground of Contract. It also is valid as a basis just before a contract is formed (for example, if you request information before a paid consultation).
This basis only lasts as long as the contract lasts. So you can’t use this basis, for example, to justify marketing a partner service to clients. However, you could use another ground to justify keeping it after the contract ends.
That ground might be Legal Obligation. Certainly every business is required by law to keep transactional data for at least six years for tax purposes. There might be other law that applies to the work you do that obliges you to keep records. Note though, that the use has to be for fulfilling that legal requirement.
Another possible ground might be Legitimate Interests. These could be your own, or that of your client, or that of someone else. The reason could be to protect financial interests or personal welfare. However, to use Legitimate Interests, you have to be able to demonstrate that:
- there is a legitimate interest
- processing on this ground is necessary – there is no other way of achieving the same result
- you have considered whether the benefit is greater than the cost against the individual’s rights, and whether the subject would reasonably agree with your decision
Additionally, you need to record (document) how you assessed that this basis was a legitimate choice.
If the subject is a child, then the necessity to use this basis must be greater than if the subject is an adult.
The last possible ground, Consent, is the one that is best to use wherever possible. Despite the requirement to obtain it, once you have it, you are on safe ground in using data for the purposes that consent was given. It is this basis that you would use, for example, for marketing or for any sort of voluntary work where there isn’t a contract.
Consent gained before May 2018 will be valid if it meets the same criteria as required after the date GDPR starts being enforced. Those requirements are that consent:
- was gained via positive opt-in (not by default or by inaction)
- is for specific purposes, such as receiving a monthly newsletter by e-mail
- can be withdrawn if chosen
- was given freely and separately to any other requirements to enter into a contract
You also need a mechanism to record consent – who has given it; for what purposes; what data; when it was given; and how it was obtained.
So to gain consent, you’ll need to work out before you ask for it, exactly what data you want to process and why you want to process it. That might be contact information so that you can keep in touch, but it also might be records of sessions so that if the client comes back at a later date, you can access the person’s history. Likewise, ask your employees (but not contractors) for their consent for you to hold data about them. The data you need to gain consent for is probably the data that you currently keep.
In any therapy practice, there will probably be several grounds under which you will collect, use and store data. Consent is likely to be the ground that gives you the greatest freedom to continue using data as you have done in the past. Contract is likely to be the ground you use for clients while you carry out your service.