Friday, June 15, 2018




“European Union regulation; The regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)
Commission proposal      COM/2012/010 final – 2012/0010 (COD)
Replaces              Data Protection Directive
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.”


This is what wikipeadia says about the new data regulation laws that came into being on the 25th Of May. Are you still awake?

The law didn’t come in on that date. The date was more the start of an evolutionary process that has half the nation terrified and the other half doing nothing about it at all.

 It’s all very big and nebulous, words and threats are bandied around, fines of half a million pounds  or four percent of your turnover. Lawyers are making a fortune running GDPR compliance workshops,  a lot of businesses have whole GDPR departments finding things to panic about.

The ICO ( information commissioners office ) is, I think,  a benign  government organisation. They are not after the likes of me ( although they will hold up any complaint made against my company if we are found to be non compliant.) They are after the big companies who sell personal data to others without knowledge, this information exchanges at a higher rate than gold or oil. Seemingly. Though how they measure one against the other I don’t know.

 The ICO just wanted us to have protocols in place by the 25th of May. As long as I can show I’ve been thinking about it, it’s fine. I have a huge plastic poster on the wall, with 24 steps scribbled on it. 

As I write this,  I was working towards number  18.

Now, being a business  covered by patient confidentially , you’d think we’d be pretty ‘clean’ with regard to GDPR. Were we? Nope!

So firstly a data audit. Where does the information go?

A patient calls up and makes appointment.  So the name and phone number  then sits on my data base /appointment  system.
If they see a ‘blackshirt’  part of the musculoskeletal therapy team. For treatment then the patient’s clinical records are on my database as well. If they see anybody else, the clinical data goes with them.
So there is a split that patients  might not be aware of, and legally now we have to tell them. The acupuncturist  takes his notes home on a laptop- legal of laptop is locked and secure, illegal if not. The herbalist and the homoeopath use hand written notes. They  cannot now leave the practice with those notes as they are not secure. So the notes have to be scanned and emailed to their ‘home’ practice.
If they leave their notes in my practice,  the data has to be locked away – so a simple combination lock on the office door sorted that out!

Is the database itself compliant? Yes…well no! It is but we have ten satellite laptops, all linked to the net and one day ( my risk assessment protocol number 4 told me ) a practitioner is going to open a virus /hacking link and we are in trouble. All that personal data could be out on the market.  So the database is going to the cloud and  we will pay microsoft to worry about it.

So patients have to sign consent for us to put their name on the apt system - no consent no treatment! Or ‘removal of benefit’ as the law puts it. I wonder how long it will be before the ‘removal of benefit’ clashes with ‘duty of care’?

They then sign again in the treatment room for their clinical data to be held under the protocol of that  practitioner.  All those bits of paper have to be scanned then destroyed.  The waste of paper is huge!
And when I qualified 30 years ago, we were taught not to throw anything away- no patient records were to be destroyed!

GDPR- anything over 8 years old has to go. Those rules are professional specific. Doctors remain lifetime plus ten years. I have thirty years worth, thousands of case records in a storage facility. They all have to be burned. The sale of garden incinerators has rocketed.


And, it’s now illegal to ask a question that’s irrelevant. I cannot ask, in a case history, about a patients sexuality, or  ethnicity as it has no relevance to treatment. I cannot ask shoe size,  but our chiropodists can. How often are you sitting in a café, putting details into your mobile to get onto the café wifi network?    And they ask for date of birth/ Illegal. Where you live? Illegal.  And so it goes on. And it is unlawful for them to remove benwfit ( deny you wifi access) if you refuse the information.

We are very used to giving away our information, now we can say ‘Why do you want to know that?’
Overall it’s been a useful but expensive project. Patients come in and laugh. We have a poster up of buttocks,  saying GDPR is daft, but it’s the law. Nobody has refused to sign. And mostly, we get them to come round the desk and have a look at the details we hold for them on the screen. Then we find they have moved house, or changed their moby number. They sign, we scan, we burn. It’s done. 125 times a day until we have processed everybody.
We all need to opt in to  things now ( where the Blogger site fouled up!), being ‘in’  should cease until we re consent. This  allows us to disengage from things we never agreed to in the first place. All those little adverts that flash up on facebook or on our email.

Charities will be hit hard. They  cannot email us now unless we have given consent for them to do so. I’ve just spoken at a charity ladies lunch. Inside the menu was a GDPR consent form so the charity can keep in touch with us.
Our vets took a different tack. They emailed and said, they reserve the right to tell us when the dogs vaccinations are due as it is a animal welfare matter, and gave us the option to opt out. That’s unlawful now, but very sensible and that’s what they would argue in court.

The emails from Chinese websites still flow in, and that distant relative of mine in Nigeria, you know, the multi millionaire, well  he’s still trying to get in touch with me.

Overall, a useful exercise. I hope it does what it set out to do, but like most things  in life, the lawful will obey the law. The rest will just annoy us with unsolicited crap as usual.

Caro Ramsay  15 06 2018


  1. Sounds about par for the course! This question is: Is this site compliant?

  2. I think blogger is 'doing something about It's. As yet, I don't think they have specified what ! Watch this space....

  3. We never solicited people to 'like' MIE, and blogger used only to send emails of comments to those who requested them. One would think . . .

  4. My friend is asking for help with her PhD. She wants to email folk to ask if they want to be part of a study. The ethics committee refused that as it's an unsolicited approach. I'll just leave that could be the end of civilisation !

  5. Having read this I feel so much better; it's not just me who thinks the appropriate acronym for all this should not be GDPR, but FUBAR. Question: Should I attempt to re-subscribe to this website or wait until the great blogspot master in the sky gives us further instructions?