The first thing I must stress is that this information is offered as my personal opinion and I am not a lawyer. I have set out the processes we have implemented which are based on the legal advice I have received. It is important that you to familiarise yourself with the new rules and seek any legal advice you feel to be appropriate.
The major questions introduced by GDPR around your patient contacts are:
- What permission do you need to send marketing material to a patient?
- What permission do you need to send clinical messages (patient recalls/reminders etc)?
- Do you need permission to send individual messages such as ‘your glasses are now ready’?
- What are the requirements around allowing patients to opt-out?
- Are there any time restrictions around ongoing marketing?
- What should your communication preference setting defaults be?
- Is there any action we should consider taking prior to GDPR coming into force on May 25?
It is worth considering that the restrictions on our interactions within optics are different from many industries as we have legitimate interest in ongoing communications to ensure clinical care, and that any marketing we undertake will always be for associated products and services.
It would be extremely unusual for us to have contact details on our system for anyone who has not had a commercial relationship with us, and the details held have always been provided by the end user or their representative and never by a third-party list provider.
Also, there are no circumstances in which we would be selling the patient’s contact information to third party marketing companies – that does not include any records sold as part of a business transfer which is totally different. So, taking these questions individually, these are the conclusions I have reached.
1. What permission do you need to send marketing material to a patient?
The fact that the patient contact details have been provided freely as part of a commercial transaction (a purchase or a consultation) is sufficient for you to have ‘soft opt-in’. This specific exception within GDPR regulations means that consent is not required if you are sending marketing messages about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt-out when you receive their contact information; and
- You give them the opportunity to opt-out when you send them subsequent messages.
This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied upon only by the organisation that collected the contact details, not third parties. The Information Commissioner’s Office (ICO) references this at https://ico.org.uk/for-organisations/guide-to-pecr...
The ICO’s direct marketing guidance document provides further explanation of this, stating that: ‘The customer does not actually have to have bought anything to trigger the soft opt-in. It is enough if “negotiations for a sale” took place. This means that the customer should have actively expressed an interest in buying an organisation’s products or services – for example, by requesting a quote, or asking for more details of what it offers. There must be some sort of express communication.’
Soft opt-in is of huge value to us for obvious reasons but we can only make use of this if the patient has the opportunity to opt-out as you receive their information and also every time you send any subsequent message.
When considering the best design solutions to allow you to meet GDPR requirements, we did consider a lot of options including integration with third party mailing services such as MailChimp. It very quickly became apparent that while much easier for us, a simple unsubscribe solution really did not cut it.
These systems are all designed around the idea that you have a marketing email list from which people can remove themselves as required. Such systems do not address the full range of patient communication preferences and would definitely not allow for the management levels and very granular requirements that our customers need.
We have therefore created a very extensive and sophisticated solution to allow both Optix users and patients to manage these preferences in a granular and fully GDPR compliant way. Each individual contact method can be set to either ‘any’, ‘clinical only’, or ‘none’, and when you receive your upgrade you will immediately notice that every patient has their personal contact preferences shown at the top of the summary screen like in figure 1.
Figure 1
Each time you book an appointment for a patient you will see the same slider controls and the settings can very quickly be updated.
If you wish to update the contact settings between appointments, then the normal link to patient details now brings the same controls where you enter and update the contact information (figure 2).
Figure 2
As already advised, we are introducing a mandatory link for the patient to manage and update their personal preferences which will be added to the end of every email, this will read ‘To check and update your contact preferences visit opx.ie/abc12’ with the actual short URL being unique to that individual email message and for
security reasons having a limited time period in which it is valid. We are doing the same for SMS messages which will have a suffix ‘Update contact options at opx.ie/abc12’. To ensure you still have plenty of opportunity to say what you need within the SMS, our standard 10p charge will be upgraded from 160 up to 306 characters which means you will get an extra 100 useable characters at no extra cost. If the recipient clicks on the link, then they will be able to update their contact preferences using a slider control – see figure 3.
Figure 3
The patient can also use the same link to update their contact details but will need to enter their date of birth in order to unlock this feature. You can see the short video of this process that I showed during the Optix Conference in March at Celtic Manor using this link http://www.optix.co.uk/gdpr.
The area that is left to address is the requirement that ‘You give them the opportunity to opt-out when you receive their contact information’, which in theory can be addressed by staff training. However we all know that with the very best will in the world, that is likely to mean the questions are not asked and the requirement has not been met.
The solution to this is to send every new patient a specific confirmation email when they first make an appointment – think of this as a ‘welcome email’. This first email should of course include the appointment confirmation details as normal but then contain a final paragraph which outlines your policy on data use and directs them towards the subscription preference link which is automatically added when the message is sent.
I will be sharing the exact text we use at Viewpoint prior to the next update being released and you are free to adapt this for your own use. The process will then be for your staff to ensure that your ‘welcome template’ is selected for use as an appointment confirmation when a new patient makes their first appointment.
While this is much more reliable than asking your staff to check the preferences with your new patient, there is still room for error. We have therefore designed a new automatic rules engine which can be centrally controlled to define exactly which templates are used in different circumstances and will ensure that you are able to meet the legal requirements without any staff intervention.
As this was not part of our initial plans for GDPR, the new rules engine will not be available until around mid-June and so you will have a few weeks when your staff will need to be vigilant in selecting the correct appointment confirmation template.
2. What permission do you need to send clinical messages (patient recalls, reminders, etc)?
A patient recall communication is not considered to be a marketing message and so the same rules do not apply. However, as it is common practice to include a marketing message within your recall templates then it is sensible to ensure your recalls are all fully GDPR compliant.
The unsubscribe link will automatically be added to any SMS or emails used, and we would strongly recommend that this is also included within the text of your letters – a new merge field option has been created to cater for this requirement. You will also note from the screenshots above that we have allowed for very granular preferences to be defined and so it is perfectly possible a patient may give you permission to use their email address for clinical correspondence but not for marketing messages.
Optix will use a chosen communication method within recall if it is marked as either ‘clinical’ or ‘any’ but from the marketing system the method will only be used if the preference is set to ‘any’. We have built in the option of setting a marketing communication to ‘treat as clinical’ for times when, for example, you need to use the system to contact everyone using a specific contact lens solution.
3. Do you need permission to send individual messages such as ‘your glasses are now ready’?
Such one-to-one messages are not marketing and are outside the scope of the associated rules as indeed are telephone calls. The patient preferences are very visible for your staff to see and they must make an individual choice with each patient about sending any interactive communications.
For this reason, Optix will always send interactive communications as requested without any reference to the patient contact preferences. My personal view is that we will carry on using SMS and email for such messages unless a patient specifically asks we do not do so – in which case we would remove their email/mobile from the system as clearly there would be no value in storing the information. Each of you must decide on a policy for your business in this area.
4. What are the requirements around allowing patients to opt-out?
I would hope that having read this far you now know the answer to this question. The ICO is explicit that every communication must include a clear chance to opt-out and we have put a huge amount of work into this requirement. As stated earlier, the opt-out link is mandatory on all emails and SMS messages but optional on postal communications.
Those of you who use MySight will find the individual preference management options will also appear within both the web interface and the MySight Apps. There are no additional charges for you in using the communication preference management system. As an aside here, the ICO state that your messages must also ‘tell the recipient who you are and provide a valid contact address’ – so please be careful to meet that requirement.
5. Are there any time restrictions around ongoing marketing?
There are many grey areas around the new regulations and none more so than this question. If someone walks into your practice buys a pair of sunglasses from you and provides you with their email address then, as covered above, it is legitimate for you to follow them up with marketing communications provided that each one includes the clear ability to opt-out.
The question is how long can you continue to send these messages if you get absolutely no response from the recipient? Moreover, at what point does the justification of legitimate interest cease to be valid and your email start to be classed as spam?
The answer to this is unclear but where the communication is based on consent rather than soft opt-in, the ICO suggests a period of two years from last consent as being best practice.
As we are relying on soft opt-in, this would mean that you can legitimately continue to use the contact details (subject to opt-out) for a period of two years from the last engagement. In our world, an engagement would be one of the following three things.
- Attending your practice for a consultation.
- Making any form of purchase from you.
- Reviewing and/or updating their personal contact preferences.
To cater for this, the next release of Optix has introduced the concept of a ‘last engagement’ date which will automatically reflect the most recent of these events. When you run a marketing query you will have the option of filtering the results by the last engagement date to ensure you are only communicating to recipients who have engaged within your chosen period.
At Viewpoint we will be using this on all marketing with the value set to 24 months, but it is for you to make your own decision on this based on any legal advice you have received. The important thing is that we are providing you with the tools to meet this requirement, and we have also given you a very quick way to confirm that you have reviewed the marketing preferences with your patient by just right-clicking on the summary screen as you can see in figure 4.
Figure 4
As previously mentioned, postal communications do not have any significant limitations on them from direct marketing rules, and so you may choose to apply a different time period for letters. That choice is entirely yours to make.
6. What should your communication preference setting defaults be?
If you have followed the rational in this email and reached the same conclusions that we have, then I would suggest that each new patient should have their default communications set to ‘any’ for each communication method that is available. However, we recognise that some of you may have had different legal advice or indeed take a different personal view.
To allow for this we have made provision for you to set your preferred default values for new patients with the Optix administrative settings. We will also need to know if you prefer to have the settings for existing patients set to something other than ‘any’ when we upgrade your version of Optix. In due course I will be posting instructions on the process to follow so we will know if you want specific settings when we upgrade you.
Figure 5
For clarity, if a patient has had their communication preferences under the existing system set to ‘essential only’, then we will always translate that to ‘clinical’ in the new release.
7. Is there any action we should consider taking prior to GDPR coming into force on May 25?
Again, this is a decision that each one of you must take. At Viewpoint we will be sending an email to every person on our system in the weeks prior to GDPR coming into force, and an SMS to the small number where we hold a mobile number but no email address. My ambition is to drive as many as possible to review their preference settings and indeed update their contact details if appropriate. Not only will that give us updated information but is also resets our ‘last engagement’ date for anyone who responds.
Conclusions
Please do not be scared about GDPR, overall the legislation is very sensible and as consumers we should all benefit from the new rules. You will now have some sense of the amount of work that has gone into providing you with the tools needed to ensure you can comply with the regulations.
I have spoken to some customers who are almost in a blind panic about GDPR and completely over-reacting, but I have also spoken to some other PMS providers who think this is a fuss about nothing and have no intention of making any changes to their software. We shall of course extend a very warm welcome to their customers when they start to appreciate why they should have been using Optix.
Finally, it is worth noting that there are many other aspects of GDPR beyond the patient communication rules that you will also need to address. These include HR considerations, an asset register, and the need for a DPO. If you have not already done so then drop an email to dataprotect@shulmans.co.uk and Mark Lumley will send you a check list and some other information that will be useful as part of your overall compliance strategy.
Trevor Rowley is the managing director of practice management software provider Optix.