It seems that whether you are in health marketing, a doctor or health facility trying to get your message out to help others, you can’t open your email without seeing something about being compliant with GDPR now.  It went into effect on May 25 and if you don’t have it, you can get fined.

So, is it like HIPAA?  Is it something that doctors and health marketers need?  Just what the heck is it?

What is GDPR?

GDPR stands for general data protection regulation which was adopted back in April 2016. It’s a data privacy measure that applies pressure on organizations and businesses that use client personal information and the way that private data can be both collected and used.

So, if it was 2016, why is it important now?

Perhaps you have seen the hearings regarding M. Zuckerberg in front of the Senate or even the hearings in front of Parliament, defending Facebook and taking a tongue lashing over the last few months. The regulation went into effect this past week and the interval was set up to enable companies to reshape the manner in which they conduct online business.

See what Facebook did to rectify the situation. The social network’s “Cookie Consent Guide for Sites and Apps” now includes a thorough breakdown of how new consent rules will work in the EU specifically, and which types of interests they’ll affect.

The same info page explains  how consent works globally— including the U.S. — in a single sentence: “Outside of the EU, other laws and rules may require you to provide notice and obtain consent to collect and use data from your site or app.”


Non-compliance to the new regulation can lead to massive fines: Infringements range in severity and fine— which includes exploiting user data without the proper consent. It can be as much as 4% of a company’s annual income, or €20 million.


The new regulation requires a high transparency level.  All businesses that work with online data will be required to explain not only what is being collected but also why they’re collecting it. Further, certain types of data come with explicit consent requirements, and users are permitted to withdraw that consent  with erasure of this data at any time.

While your name, age, job, and basic details is listed on social media profiles, GDPR covers the accessible IP addresses, location data, and web browsing cookies. Then there are the more sensitive, consent-required data points, including a person’s race or ethnicity, politics, union membership, philosophical beliefs, and genetic or biometric information. Data collectors must seek consent to “gather and use this information, and they’re required to purge it upon request.”

Ireland’s Data Protection Commissioner Helen Dixon told Wired :

“We know from our engagement with them that a lot of them are looking very proactively at how they are going to do the transparency under the GDPR.” “One of the things we have high hopes for significant change under the GDPR is how transparency is really delivered to users, particularly by these internet companies. The regulation takes more of a common sense approach than U.S. citizens are used to: If some tech company wants to use your data, they need to be straight about what they’re collecting, how they’ll use it, and who else (if anyone) will see it. They’re also required to share what they’ve collected upon request and obtain consent, in cases that call for it.”

Does this apply to you?

Maybe you are thinking, I’m only a local physician, healthcare facility or health marketer.  Since the GDPR is transatlantic, it doesn’t really apply to me.


In the world we live in where most people are wired, are your messages accessible online?  If so, they are being read abroad and not just locally. That doesn’t mean that you have to purge all your prior work online and withdraw from cyberspace.  It means that you need to become transparent and take action before you are noticed for all the wrong reasons!

Need help?

No worries.  We can discuss your needs.  Contact