Changes You Can Make to Your Website that May Help with GDPR  for Medical Websites

*DISCLAIMER: We are not lawyers. This is not a substitute for legal advice. The following blog post is a speculative opinion offered up in good faith based on our knowledge of best practices.*

Today (May 25 2018) the new General Data Protection Regulations came into effect. The 2018 reform of EU data protection rules is being called the biggest change to privacy law in the EU in 20 years. You’re probably thinking: “my business doesn’t operate in the EU so I don’t have to worry about this at all!”, but you’d be wrong. These new rules govern any website that receives visitors from the EU as well. The EU has promised hefty fines for any businesses found to be non-compliant. Before we jump into it please keep in mind that if complying with these new laws seems odious they were developed for the protection of your patients/customers etc. and it is in everyone’s best interests to make sure your patients/customers are safe and protected online.

Obviously, here at M.Ad we work primarily with medical service providers across North America. We thought it might be helpful to summarize some of the steps we recommend taking to protect yourself.

*DISCLAIMER: NO ONE AT M.Ad IS A LAWYER. Do your own research, hire your own lawyers and protect yourself. The following recommendations are suggestions on general best practices when it comes to managing personal health information. The recommendations made below may or may not be specifically relevant to the new GDPR laws.*

Now that is out of the way, here’s what we recommend:

  1. Read the law fully HERE and have your lawyer review it as well.
  2. Make sure your website as an SSL certificate installed. This is best practice for any website, but especially medical websites.
  3. Update your Privacy Policy (you absolutely should have one of these on your website). Make sure you include a “last updated on” disclosure and keep your privacy policy current.
  4. Include an email address where website users can get-in-touch to ask further questions that are specifically about GDPR.
  5. Use HIPAA Forms to collect form submissions on your website instead of a regular form submission plugin. We’re not being paid to say this. This is the only HIPAA Forms plugin that we have found that integrates with Caldera Forms and Gravity Forms so you don’t have to do all sorts of horrendous updates to your website. Purchase this plugin HERE and contact their excellent customer service team if you need help installing it.
  6. Disclose what marketing and advertising channels/tracking/analytics tools you’re using on your website. For example, Google Analytics Tracking Pixels, Google AdWords Tracking Pixels, Facebook Tracking Pixels, Remarketing Tags etc. This law is primarily about disclosing to your website users how their information is being collected and what is being done with it. You stand a much better chance of appearing compliant if you’re taking reasonable steps to be honest with your website users about what you’re doing with their inforamtion.
  7. As a ‘quick fix’ while your lawyer is preparing a more thorough update to your privacy policy add the following disclosure statement (or something similar to it) which specifically references GDPR:

General Data Privacy Regulation (GDPR) Updates

The GDPR takes effect on May 25, 2018, and is intended to protect the data of European Union citizens.

As a company that markets its site content, products and/or services online we do not specifically target our marketing to the EU or conduct business in or to the EU in any meaningful way. If the data that you provide to us in the course of your use of our site or services or products is governed by GDPR, we will abide by the relevant portions of the regulation. If you are a resident of the European Economic Area (EEA), or are accessing this site from within the EEA, you may have the right to request: access to, correction of, deletion of; portability of; and restriction or objection to processing, of your personal data, from us. This includes the “right to be forgotten.”

To make any of these requests, please contact our GDPR contact at