Disclaimer
GDPR – General Data Protection Regulation – which is in effect since May 25th 2018, is a complex legal framework which affect many processes and routines in the optical retail business besides the software used for storing and handling customer data. All users need to aware of, and fulfill, the different guidelines, regulations and recommendations in GDPR which are not software related, in order to be GDPR compliant.
Besides GDPR, different laws and legal frameworks regarding storing and handling clinical and other sensitive data must also be considered. These laws and legal frameworks can be different in different countries. Prooptics are striving to fulfill GDPR, common laws and general regulations for customer and clinical data, but for different countries we may have to make adjustments in order to fulfill local laws and regulations which we may or may not decide to implement.
GDPR compliance
One of the most important guidelines we’ve used when developing Prooptics Clinic+, besides “Easy of Use”, is “Security and Privacy by Design”. Since we have long experience of handling sensitive and clinical data, several safety features have been developed in the original design of Prooptics Clinic+. Here is a short description of how Prooptics Clinic+ is handling and storing customer and clinical data.
Separate databases
Clinical data are stored separately from other data and information in order to protect these data. It also makes it possible to log data entries and changes by user. This is a mandatory function for all software in order to fulfill most of the common used laws and other legal frameworks for clinical data including GDPR.
This also means that clinical data can be geographically stored separately if there is a specific storage requirement for clinical data. Even though Prooptics Clinic+ is 100 % cloud based, we’ve included the capability of installing and running Prooptics Clinic+ within a customer infrastructure in its private cloud, if required.
Encryption as standard
All communication are encrypted all the time, with the common used encryption SSL, which means HTTPS in the browser. This is a security standard used by most secure websites and is supported by all common used web browsers, and also works on mobile devices like tablets and smart phones.
Authentication and authorization
Each user has personal user credentials which has to be used in order to log access, entries and data changes. This is mandatory to fulfill most of the common used laws and other legal frameworks for clinical data including GDPR. There is no limitation for the number of users in Prooptics Clinic+ so all users must use their personal credentials. An automatic “log out” features makes sure that an unused web browser can’t be used by another user. If a user starts using another web browser, the previous session will automatically be terminated.
Access rights in Prooptics Clinic+ are fully customizable. An unlimited number of users can be combined with optional number of user roles where each user can have different roles, and therefore different access rights, in different stores. Different access rights can be set on a store, region and chain level.
Customer consent
With Prooptics Clinic+, it’s very easy to collect customer consent. Customer consents are set and stored for each channel separately such as SMS, E-mail, Mail and Social Media. If not all different channels are used, one or more channels can be disabled for consent registration. Every single consent entry or change are logged in the database including when and by whom.
Don’t forget that all business needs to create and communicate an information and personal data protection policy, besides collecting customer consent.
Customer data export
Customer data portability is one of the regulations in the GDPR framework. We’ve included a feature where it’s possible to export customer data and save it in XML Format.
Reminders and confirmations
Besides marketing communication which requires customer consent, Prooptics Clinic+ is using e-mail and/or text messages/SMS in order to send out reminders and booking confirmations. This type of customer communication doesn’t require customer consent.
GDPR – The right to be forgotten
One important customer data protection regulation in GDPR is the right to be forgotten. But since all customers in Prooptics Clinic+ have clinical data registered, it’s not allowed to delete a customer or customer data. Instead, a customer in Prooptics Clinic+ can be in-activated but with all clinical data intact as required by law.
Data quality and accuracy
We have made it easy to see to that customer data are as correct as possible. Even though all customers have the right to request that data shall be changed, we would like you to be ahead of such requests. In Prooptics Clinic+ we’ve therefore included an automatic reminder to verify customer data. See examples here!