Is the client data in your aesthetic clinic safe?
Collecting personal data safely, making sure you have the right consent in place, and staying up to speed on data protection laws are all things that aesthetic clinics simply have to do.
But that doesn’t mean it’s easy – absolutely not!
In fact, making sure that your clinic is compliant with data protection laws is a seriously complex issue that requires a lot of time, attention, and headspace. That’s why, if you want real peace of mind, it’s always better to enlist the experts.
Charlotte Staples, Head of Privacy Management at Firebird Data Protection, is absolutely that – an expert on all things data protection in aesthetic clinics. In this blog, we’ll be picking her brain on all things privacy and personal data, including:
- The number one reason for data breaches in clinics
- Why ‘consent bundling’ is a bad idea 😓
- What you need to include in every marketing communication
- How to train your staff (and not make it boring)
- And lots more – we’ve packed in loads!
Let’s jump in for a chat about all things data protection in aesthetics…
👉 Charlotte Staples: Bio and background
Charlotte Staples is the Head of Privacy Management at Firebird Data Protection Consultancy. Her role involves supporting clients in handling their personal data in compliance with data protection laws and she specializes in delivering data protection officer services to aesthetic clinics, retailers, and hospitality clients.
Before joining Firebird, Charlotte was responsible for managing the data protection function for Harrods for nearly eight years. She ensured that the personal data relating to Harrods customers and employees was safely collected, used, and stored.
Why is data protection compliance so important for aesthetics practices (and other healthcare businesses?
The type of personal data that practices collect is considered to be the most sensitive type of personal data under the data protection laws, so there are stricter rules about how it can be used and stored. Fines for non-compliance with these laws are also incredibly high – up to £17.5 million – so ignoring it or failing to comply is a big risk to take.
The people whose data you fail to look after can also claim compensation and it’s estimated that this is the bigger cost to bear. Loss of future business is also a big consequence.
It’s not a good idea to ignore these rules. The Information Commissioner’s Office (the regulator of personal data use in the UK) is working on introducing AI to scan websites for non-compliance. It’s been known to launch an investigation after only a handful of complaints.
What are the main causes of data breaches?
The number one cause of a data breach is sending an email to the wrong recipient.
When that email contains health information, it’s likely to meet the threshold for reporting to the regulator. Another leading cause is a cyber attack which often happens as a result of phishing emails being clicked on.
Educating yourself and your staff to be aware of these things is very important to avoid them happening to you!
Can you give some examples of data breaches caused by human error?
We’ve mentioned sending an email to the wrong recipient. Another big one is failing to have the correct access controls in place to a system so that an unauthorized person gains access.
Also, updating a form in a shared area with personal data when it would have been better to download it and save it in your own files. Posting data to the wrong person also happens quite a lot too.
The consequences of having poor data protection processes
- Personal data gets lost or stolen and falls into the wrong hands
- Identity theft, embarrassment, and distress to clients
- Loss of business
- Regulatory fines
- Loss of trust amongst your client base
What are the reasons clinics trip up when it comes to data protection? Is it a lack of awareness?
Clinics and sole traders are legally required to register with the Information Commissioner’s Office and a quick look at this shows that many clinics and practitioners are not registered.
I think it is a lack of awareness. The data protection terminology can be quite confusing and it’s not a particularly straightforward area of law. It also changes fairly frequently so it’s a challenge to stay on top of exactly what you need to do. It’s one of those things where people are happy to fly under the radar as they think a breach won’t happen to them.
However, the stats show us that breaches and complaints are on the rise. The UK government has named a cyber attack as the number one risk affecting all businesses in the UK so it’s not a case of if this will happen to you, it’s when.
How to improve privacy compliance at your aesthetic clinic in 5 simple steps
1. Review your privacy policy
What is a privacy policy, and what should it include?
A privacy notice (sometimes called a privacy policy) is a core part of your compliance.
It’s where you explain to an individual how and why you collect, use, store, and delete their personal data. There are quite a few things that must be included in a privacy notice and they are unique to each business.
It must include your lawful basis (or justification) for collecting and using the data, and how long you’ll keep it for. You must also give details of who your data protection officer is and how to find out more information.
You’re responsible for making sure your audience can easily understand your privacy notice and explaining everything clearly. If you’re using cookies or tracking technologies on your website, you must also have a cookie policy that explains how they’re used.
Where should it be published?
The best place is on your website although you should include instructions on how to find it on every form that you use to collect people’s information.
Can you just download a template online?
The Information Commissioner’s Office, the regulator for data protection in the UK, has recently released a tool that allows organizations to generate a privacy policy.
However, whilst templates exist they often rely on specific information to be inputted and can come out fragmented and difficult to understand. It’s a good idea to get a review from a specialist even if you do choose to use a template, so they can check that it’s accurate.
For clinics wanting more reassurance, I’ve created a unique template for practices to use. I can also create a bespoke privacy notice for complete peace of mind that you’re meeting your obligations.
I don’t have a privacy notice, should I be worried?
Failing to have a privacy notice would amount to a breach of your obligation to be transparent about how you use personal data. If the regulator became aware it could issue a fine or you could face legal claims.
In fact, some of the biggest fines in Europe for non-compliance with data protection laws have been for lack of transparency about how personal data is being used.
Of course, you could take the risk and go unnoticed but with the regulator looking at AI to scan websites in the near future, it’s possible you’d be found out sooner rather than later.
2. Keep your client data safe
What is the best way to keep client data safe?
All client data should be stored in one secure storage system.
Pabau provides the appropriate security for your client data and you can easily set access controls to make sure data is accessed on a need-to-know basis.
If you use cameras and other devices to store data, move it to Pabau and delete it from the original source. Being paperless also helps.
Is there anything else to be aware of in-clinic regarding client data?
Lots! Too much to cover in one question, but my top three tips are to make sure that you have separate consent tick boxes for:
- Permission to complete the treatment
- Permission to send marketing communication
- Permission to use before and after photos on your marketing materials
Other things to be aware of are making sure you lock your computer if you work in an area that clients can access and making sure you do not leave any paperwork lying around.
Also, look out for phishing emails (scam emails where the sender pretends to be genuine) and voice phishing attempts. There has been an increase in attempts made to access health information via cyber attacks. For a full overview, clinics should introduce data protection training to their staff and have them complete it at least once a year.
At Pabau we advocate for practices being paper-free – is this essential to keeping client data safe?
It’s not essential but it certainly helps. Any paperwork you do use should be securely stored and destroyed using a cross-cut shredder as soon as it is no longer needed.
3. Check you're requesting consent from clients (in the right way)
Clinics will want to use client data for marketing purposes. When should they request consent to send them marketing content?
At the point of collecting personal data is a good time to ask for consent.
The best way to do this is to use tick boxes that are not pre-ticked. You should also have a separate tick box for email, SMS, and WhatsApp.
There are some limited opportunities for clinics to use pre-ticked boxes but this should only be done on the advice of a data protection professional.
What mistakes do people make in terms of consent?
Bundling your consents is a common mistake.
You should have one tick box for the treatment and another tick box for marketing. Also, sending marketing content in an appointment reminder or sending an email suggesting treatment is now due when no marketing consent exists.
Both of these are likely to get you in trouble with the regulator and it likes to issue fines for non-compliant marketing a lot. In fact, there have been more fines for failing to adhere to marketing rules in 2023 than for data breaches.
What about your marketing emails?
You should have a clear idea of which of your communications are marketing and which are service-related. If you do not have consent to send marketing, the service emails cannot include marketing material as this could be seen to be an attempt to break the rules.
You must include an unsubscribe link in every marketing message, and this includes text messages and WhatsApp too if you use these for marketing.
Do you need written consent to use before and after photos?
In short – yes! This should also explain exactly where you’d like to use them. Instagram for a one-off post, your leaflets, a billboard… etc.
4. Educate your staff on handling data
What’s the best way to train your staff about data protection?
Make it fun! It’s important that the message sticks. Training is one of my favorite things to do because I really enjoy changing people’s minds about a topic traditionally seen as dull.
When you have a data breach, the first thing the regulator asks is whether you provide data protection training. You should provide it at least once a year and for every new starter. As the law is constantly changing, the content of the training should be updated too.
Rapid advancements in technology and an increase in cyber-attacks mean that sometimes training is not enough and general awareness is just as important. Having data protection as an agenda item on team meetings is a good place to start, you can also follow Firebird’s Instagram @firebird.dp which we recently launched as a way of providing free advice.
I also produce webinars and training sessions on a variety of topics to suit all practices, sizes, and budgets for those who want to be certain themselves and their staff are adequately trained.
How often should you train your staff?
At least once a year, but you may choose to train them more frequently. It’s about embedding awareness and a culture whereby the client’s (and employee’s) personal data is recognized for the value it holds and appropriately protected.
Do you need documentation in place for data breach incidents?
You’re legally obliged to record every data breach and document what happened and what you’re doing to prevent it from happening again. You also need to assign a risk rating of what the breach means to those whose data has been lost or stolen.
If the risk is high, as it often will be if the data lost/stolen includes health data then you’re legally obliged to report it to the regulator without delay and within 72 hours of becoming aware. As you can imagine this can all be quite stressful if you are not used to dealing with data breaches and you’re panicked about how to handle the regulator.
This is where the specialist experience of an external DPO can really calm your nerves and minimize the impact of a regulatory investigation.
Is there anything practices need to be aware of in terms of social media and data protection?
Your practice is responsible for the personal data you hold regardless of where it’s stored.
This means if you interact with clients on social media you will still be responsible for the protection of their personal data there. It’s a good idea to move conversations off social media and delete the data from there as soon as possible.
5. Audit compliance processes at your aesthetic clinic
Compliance laws are always changing – do aesthetic practices need to be aware of that?
Absolutely. Because of the risk of cyber attack, changes in technology, and the updates to data protection laws it means the risk is always changing. A comprehensive audit is a good place to start but it should be regularly repeated to stay on top of things.
What’s the best way to stay up to date?
Follow Firebird on Instagram and LinkedIn for specific updates for the wellness and aesthetic sectors. For more detailed updates you can visit the Information Commissioner’s Website.
How often should you take a look at your processes and carry out audits?
At least once a year. However, once a framework has been established the yearly updates are unlikely to take very long. Putting the time and effort in now, particularly if your practice is growing, can save you a lot of time and effort later on.
Who should ‘own’ the process – the owner, the manager, or someone else?
The clinic manager is best placed to own the process. They work with the data and will understand how it’s used. However, the clinic owner will want to remain accountable.
In some instances, failure to comply with the data protection laws has resulted in criminal convictions, so the owner will want to see the assurance that their clinic is meeting the requirements.
It can seem overwhelming to do this all on your own, which is part of the reason I launched the service at Firebird. An outsourced Data Protection Officer who also understands your business can take the stress away from understanding your obligations and making sure you comply.
We have a package to suit practices of all sizes and would love to hear from you.
Finally, is there anything else important to mention?
One last tip is to be aware of new technology and the devices you are using. Any device that connects to the internet could be sending data externally. If you’re looking at using artificial intelligence, this also carries a data protection risk.
You’re required to carry out risk assessments (known as data protection impact assessments) if you’re carrying out a high-risk activity. We are specialists in making sure your client (and employee) data is not put at risk.
