General Data Protection Regulation (GDPR) - does your practice comply?

We get many questions about GDPR, so we have made this page which contains information on how we deal with it. The General Data Protection Regulation is a significant piece of legislation, so there is a lot to consider about when running a clinic or practice. Below, we review the key issues, which we naturally deal with for you in EasyPractice.

Illustration representing the compliance and security of EasyPractice
Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Data Processors and Data Controllers

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. This is just a matter of definitions. You have accepted our agreement on data processing once you have been set up with EasyPractice.

When we talk about personal data, we work with the terms “Data Processor” and “Data Controller”. In this context, EasyPractice is a data processor and our users are the data controllers, since we process your client data on your behalf and in your interest. Therefore, you also have control over how we process your data, since we process it only as instructed by you.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Location of data

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. EasyPractice is already set up to store all your data in Denmark.

With the new General Data Protection Regulation, it is legal to transfer personal data to other EU countries that comply with an adequate level of security. At EasyPractice we store data with a Danish hosting company in Denmark so you can be sure that your clients’ data is secure. It will therefore always be covered by the protection of the General Data Protection Regulation.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Consent and disclosure requirements

We have you covered but action is needed from you.

Icon to toggle more or less information
Should I – as a processor – do something myself?

Yes. You must ask your clients to give their consent for you to store and process their data. You can do this in collaboration with EasyPractice.

It’s important that you as a data controller are clear and concise in your communications when you store or otherwise process your clients’ data. Processing of data must either be necessary to satisfy a contract or there must be explicit consent for it – and in any event, the processing must be for a stated purpose and your client must be informed of:

  • what personal data you shall register,
  • what the personal data shall be processed for,
  • how long the personal data will be stored for,
  • that your client is entitled to have his/her information corrected, deleted or handed over,
  • where your client may turn to make use of his/her rights to rectify, delete or have his/her information handed over,
  • that the client can at any time withdraw his/her consent and how this may be done,
  • where requests regarding the above can be rectified.

For example, if you set up clients in EasyPractice, the client shall expressly consent to this, and in that connection will receive the above information. If you have Online Booking in EasyPractice, you can set it up so that specific conditions must be approved before a booking is made, in order to ensure consent, and you should always do this.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Data Protection Officer

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. EasyPractice has already dealt with this for you by appointing a DPO, who, among other things, deals with inquiries from your clients regarding processing of their personal data.

As data processor, we are now required to have a Data Protection Officer (DPO). A DPO must ensure that a company meets the requirements of the new General Data Protection Regulation. Read more about what a DPO is.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Data portability

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. You don’t have to do anything. This is handled by EasyPractice.

The clients you have registered with EasyPractice have the right to be able to have their data transferred to another system if they request it. At EasyPractice, we have the ability to export client information via “Settings” → “Import / Export”, if you need a format that can be handed over to another data controller.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

“Right to be forgotten”

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. You don’t have to do anything. This is handled by EasyPractice. You can delete your clients completely if they require it.

Your clients have the right to be “forgotten”. This means that your clients can demand to be deleted from your client directory. At EasyPractice, you can set a client as “Inactive” or delete the client from your directory completely. For the “Right to be forgotten” to be met, you must delete the client completely from your directory. This can be automated through our “Cleanup” app.

However, it is not always the case that a client can demand to have all information deleted. Perhaps you need to retain information as documentation of your handling of personal data, or other legislation requires you to retain the personal data for a certain period of time. The judgement is ultimately yours, but remember to inform the client of the decision, regardless of whether you erase all data or not.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Privacy by design / Privacy by default

We have you covered but action is needed from you.

Icon to toggle more or less information
Should I – as a processor – do something myself?

Yes. You must investigate whether the other programs you use to process personal data comply with the requirements of the General Data Protection Regulation, and you must enter into data processing agreements with your various data processors.

This part of the General Data Protection Regulation is about ensuring that the systems you use comply with the requirements for personal data protection. At EasyPractice, we comply with the various requirements that exist, for example, encryption of personal data, but if you use other systems (e.g. accounting programs), you as a data controller must ensure that they also comply with the requirements. For example, if you have linked EasyPractice to an accounting system, we ensure that you transfer data over an encrypted connection, but you as a data controller are responsible for the other system you are using complying with the requirements for storage of personal data.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Impact assessment

We have you covered but action is needed from you.

Icon to toggle more or less information
Should I – as a processor – do something myself?

Yes. You must prepare the impact assessment yourself. We can of course help you with research if you need assistance with this, if you contact us at [email protected].

 

As a data controller, you have an obligation under the new General Data Protection Regulation to produce what is called an Impact assessment. An impact assessment is a description of the technologies / products you use that handle personal data and may include, among other things, an assessment of the risks for your clients in relation to being a client with you and what precautions and security measures you take in relation to the storage of personal data.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Notification duty regarding data breaches

We have you covered but action is needed from you.

Icon to toggle more or less information
Should I – as a processor – do something myself?

Yes. You must notify the Danish Data Protection Agency if you receive a notification from us about any data breach, but of course we will help you in the formulation of the notification so you do not have to worry about the technical aspects.

With the new General Data Protection Regulation there is also a duty to inform the national personal data agency (i.e. the Danish Data Protection Agency in Denmark) about data breaches. This must be done within 72 hours after a data breach. As data processors, we are obliged to inform both our users and the Danish Data Protection Agency about a breach and we have ensured that we have a procedure for that in our company. Remember that as a data controller you are also required to disclose any data breaches.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? exclamation icon suggesting that some action is needed

Documentation that the General Data Protection Regulation is being complied with

We have you covered but action is needed from you.

Icon to toggle more or less information
Should I – as a processor – do something myself?

Yes. You must provide documentation to the Danish Data Protection Agency that you comply with the General Data Protection Regulation.

As a data controller, it is your responsibility that you have documentation showing that you comply with the General Data Protection Regulation. This means that you must have the correct documentation to show that data is processed correctly in the system you use.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

TLS security / encrypted communication

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. EasyPractice automatically runs with TLS security.

Secure communication from web browser to system (such as when editing journal entries or when a client books an appointment) is something that you as a data controller should be aware of. TLS, which stands for Transport Layer Security, is a security protocol that ensures the safe and private transmission of data over the internet. It’s like a security blanket for your online communications, protecting them from snooping and tampering. Here’s a breakdown of what TLS does:

Encryption: Imagine sending a secret message. TLS scrambles the information you send and receive, making it unreadable to anyone who intercepts it, even on an unsecured network.

Authentication: Just like checking someone’s ID before letting them in, TLS verifies the identity of the websites and servers you connect to. This helps prevent impersonation and ensures you’re talking to the intended party. 

Data Integrity: TLS makes sure the information you send arrives complete and unchanged. It’s like adding a checksum to a package to see if anything got lost or altered in transit.

Easy Practice has the highest A+ score on the industry-standard TLS Test at ssllabs.com.

Is EasyPractice compliant? Tick Icon confirming compliance
Am I compliant? Tick Icon confirming compliance

Exchange of data between platforms (integrations, apps)

No action for you to take, EasyPractice has you covered.

Icon to toggle more or less information
Should I – as a processor – do something myself?

No. EasyPractice has set up secure communication (TLS) in all integrations.

When using an online system such as for entering records or billing, it is often possible for the system to exchange data automatically with other platforms. It’s important that you, as a data controller, have an overview of the platforms you use and how they handle personal data. All integrations through EasyPractice run with TLS security (encrypted, secure communication) and thus we ensure that data cannot be “leaked” by network service providers.

Back to top

We've got your message

Our support team will be in touch as soon as possible to help you out.

Oh no!

Something has gone wrong, please try sending your message again or contact us directly on [email protected]

Have a question? close