202017Sep

GDPR Compliance For Healthcare Organisations – Are You Ready?

By now you will most likely be aware of all the noise surrounding the new GDPR compliance data law due to be fully enforced from May 2018.

But, are you ready and compliant?

Very soon, organisations will be faced with a new Data Protection Act set of rules to comply with, called the General Data Protection Regulation (GDPR). There are some similarities between the existing UK Data Protection Act 1998 (DPA) and GDPR but many key differences too.


When the General Data Protection Regulation (GDPR) comes into full enforcement from 25 May 2018, organisations in breach GDPR compliance rules will face dramatically increased fines.

From a theoretical maximum of £500,000 that the ICO could levy, non GDPR compliance penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher. For many businesses, the threat of insolvency, or even closure as a result of GDPR penalties, will soon be very real.

Fifteen months is not long to bring an organisation, especially a larger one, to a state of compliance with the new law, which is why it’s essential to prepare now.

There is some degree of implied consent, called ‘legitimate interest’, however, this level of consent has limited stretch factor (e.g. Could be used to communicate adverse effects etc. as is vital news).

The Information Commissioners’ Office insists opt-in consent for email is going to be key in the vast majority of cases where any type of organisation insists upon any kind of ‘non-essential’ communication, likely to at any time include education and promotion slant type materials and messaging.

By requesting opt-in permission to email, confirming the intended content of communications to be sent, confirming the frequency of emails and clarifying the ease of withdrawing consent (at point of requesting consent), this will help address any potential grey areas and resulting ambiguity surrounding opt-in consent for emails and will significantly reduce risk of penalties.


The GDPR introduces a number of key changes for organisations. These include the following:

1.    Even if your business in not in the EU, you will still be required to comply with the new GDPR regulation

2.    The definition of personal data is broader, bringing more data into the parameters of regulation

3.    The rules of obtaining valid consent have been changed

4.    The appointment of a Data Protection Officer will be mandatory for certain organisations

5.    Mandatory Data Protection Act impact assessments have been introduced

6.    There are new requirements for data breach notifications

7.    Data subjects have the right to be forgotten

8.    There are new restrictions on international data transfers

9.    Data processors share responsibility for protecting personal data

10.  There are new requirements for data portability

11.   Processes much be built on the principle of privacy by design

12.   The GDPR is a one stop shop


Here are some more links to useful GDPR Compliance information (articles and video):

•      https://ico.org.uk/for-organisations/data-protection-reform/gdpr-messages-for-the-boardroom/

•      https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

•      https://ico.org.uk/media/about-the-ico/documents/1042564/ico-proposed-dp-regulation-analysis-paper-20130212.pdf


The Brexit question

UK organisations handling personal data will still need to comply with GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.


How Sales Accelerant can help

Sales Accelerant has wide-ranging Data Protection Act awareness and working knowledge to help organisations in the healthcare industry prepare for GDPR (from a marketing activity compliance perspective).

Sales Accelerant can help healthcare organisations to retain complete control over email communications with healthcare professionals and other healthcare industry employees, as opposed to needing to rely heavily on industry data brokers and other organisations (which will have GDPR compliant opt-in email lists) to email healthcare professionals beyond May 2018.

The Sales Accelerant team can recommend a variety of options to help enable healthcare organisations to comply with the new GDPR guidelines, which include:

  • CRM modules (from the likes of Veeva/SFDC, Quintiles-IMS and Oracle)
  • Email marketing
  • Telemarketing (combining GDPR opt-in calls with other promotional/educational messaging purpose)
  • Tele-research (combining GDPR calls with other research purpose)

Sales Accelerant offers a GDPR compliance multi-channel campaign approach to enable healthcare organisations to develop compliant opt-in email lists. Sales Accelerant estimates that by using a healthcare CRM (CLM) system module (field-sales teams confirming opt-ins during calls using their tabs/mobiles and opt-ins via remote detailing platforms), combined with email marketing (via industry data brokers such as Binley’s (Wilmington Healthcare), it will be possible to capture up to 80-90% of opt-ins.

Insofar as the remaining 10-20% are concerned, such as those healthcare professionals who are based in low prescribing, rural areas and perhaps new audiences (e.g. ahead of new product/indication launches in new therapy areas) and therefore perhaps rarely or never visited and called to date, Sales Accelerant can assist through delivery of a GDPR compliance multi-channel campaign.


Contact Sales Accelerant TODAY for more information about GDPR Compliance multi-channel campaign options which enable your healthcare organisation to be fully compliant ahead of the May 2018 deadline. Call: 01273 358170 or Email Us.

Leave a Reply

Your email address will not be published. Required fields are marked *