Use only physical records to store patient data

Clearly inform patients about data collection, usage, and sharing

Avoid informing patients to maintain confidentiality

Share data with all staff members for easy access

Patient consent or necessity for medical treatment

Desire to market new services to patients

Any data processing that benefits the business

Processing data without any reason

Collect as much information as possible for future needs

Collect only the minimum data necessary for the purpose

Collect both relevant and irrelevant data for completeness

Ensure all data is accessible to everyone in the organization

Retain all patient data permanently in case it's needed

Keep data only as long as necessary and dispose of it securely

Retain data until the patient requests deletion

Archive data indefinitely without disposal

Within 1 month

Within 48 hours

Within 72 hours

Immediately

Only authorized personnel who need it for their roles

All staff members to facilitate workflow

Only management-level staff

No one to ensure data security

Assume third parties will follow GDPR by default

Obtain verbal agreements on data protection