7DOTS Report: 59% of healthcare providers failing to comply with data protection laws

7DOTS Report: 59% of healthcare providers failing to comply with data protection laws

At 7DOTs we’re on a mission to help brands become fully data compliant. Many brands are not aware of the issue and the implications being potential fines and loss of customer trust. 

In the second of our reports, we move on from Education to the Healthcare sector. Our new report reveals that many healthcare providers in England are not currently complying with data protection laws. 

In our study we analysed the websites of more than 3,500 providers registered with the Care Quality Commission in England, covering the full spectrum of healthcare provision, using our own custom cookie compliance testing tool. 

Our analysis highlighted that close to two thirds, 59%, were non-compliant with current General Data Protection Regulation (GDPR) standards. The research also revealed only 6% had a consent management platform, a crucial component for GDPR adherence.

Given the potential sensitivity of patient data, the widespread compliance failure raises significant concerns about the safeguarding of patient and other website visitor data. It also opens up the potential risks of hefty fines due to non-compliance, even though many providers will be unaware that there is an issue. 

The GDPR, designed to ensure the responsible handling of personal data, imposes stringent rules on organisations, emphasising the need for careful and lawful processing of individuals' information.  

Our report reveals widespread variance in compliance depending on the type of service being offered. Rehabilitation/ substance abuse centres had the highest rate of non-compliance at 92% with community services - healthcare providers featuring a non-compliance rate of 79%.  

At the other end of the scale, doctor’s surgeries performed best, but still close to half, 45% were non-compliant. Meanwhile home care agencies were next best with a compliance rate of 46%. 

The failure to safeguard data for those in substance misuse centres could lead to the vulnerable being retargeted with inappropriate adverts based on profiling or families researching end of life care could face inappropriate or insensitive advertising.  

On the back of the findings, we are urging healthcare providers to take action to protect the privacy of patients and website visitors and ensure they have digital experiences built on a foundation of trust. 

Other findings included: 

  • The prevalence of Google Analytics on 77% of non-compliant sites and the utilisation of paid social platforms with embedded tracking mechanisms were identified as significant contributors to the lack of compliance.
  • Alongside Google Analytics other well-known storage vendors frequently present on non-compliant sites are Facebook, Google, Wix.com and YouTube, meaning visitor data is being sent to these 3rd-party platforms without their consent. This could result in these visitors being targeted for advertising despite not giving permission.  
  • Even among the 219 providers employing cookie consent management platforms (CCM’s), a shocking 63% were found to be inadequately processing website visitors’ data in alignment with GDPR standards. This is likely being caused by web editors hardcoding scripts/assets (e.g., YouTube videos) into websites, preventing Content Security Policy (CSP) restrictions on loading.  

The results of our study reveal a worrying lack of compliance among healthcare providers. This raises significant questions about the safeguarding of patient and other website visitor data. This has particular implications given the sensitivities within this sector and the need for patient privacy, particularly for more vulnerable patients such as those in substance recovery centres. 

We’re are on a mission to help brands and businesses get their websites compliant. Many healthcare providers will be unaware they even have an issue as the website builds will have been done by external providers. But providers could face fines from the ICO and risk eroding customer trust if the likes of Google and Meta use non compliant data to create ad audiences and target customers with unsolicited and inappropriate communications. 

Share this article

Nick Williams

Demand Director

Nick heads up the award winning demand division of 7DOTS, which offers a full range of SEO and demand marketing services.

Connect