GDPR and VPNs - a couple of questions


Hi Guys,

I did a search on the forum to see if either of the above came up and nothing did, so I though I would create a new post.

A couple of quick questions:

  1. Where does Cliniko currently stand with the new EUGDPR guidance, and what are you currently doing to work towards compliance?

  2. As part of EUGDPR a VPN (Virtual Private Network) seems logical and gives another way of showing how we protect clients data. Are there any that you recommend for use with Cliniko?

Thanks for your help as always.

Kind regards,



Hey Dave :wave:

While we’re still reviewing the GDPR changes we did receive some news that our provider Amazon Web Services or AWS (which is who we use to store Cliniko’s data with) announced that they have become a member of the Association of Cloud Infrastructure Services Providers in Europe (CISPE). CISPE’s goal is to help everyone adhere to the new GDPR guidelines!

AWS released this statement:

What is especially important/relevant:

AWS welcomes the arrival of the GDPR. The new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure. They’ve also announced that: "All AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.

There may be a few things we need to do on our end to prepare for the transition but currently, we’re fully reviewing those requirements and working with Amazon Web Services to do this.

As for VPN recommendations, I have asked our team and the one that came up was PIA. Hope that helps!

Katie :slight_smile: :wave:

GDPR - any updates?

Hey Dave!

I also use! It’s really easy to use and super simple to set up! There are clients for basically all devices, making it really easy to turn on and off as you want.

Not saying this is better than PIA that Katie mentioned above, but it is an alternative if you want one!



Thanks Katie!

Really appreciate you getting back to me and thanks for your reply.

(also apologies for my delayed response - Christmas got in the way!)



Thanks Jason - I will check it out!



No worries!

Let us know how you make out :slight_smile:


Hey Team Cliniko,

Given that businesses have to be ready by May 2018, when do you plan to announce what you’re doing to support GDPR?

From what I understand, we’re required to capture the explicit permission from our customer bases that we have the right to store their data, including why that information is collected, and (where applicable) shared. Will Cliniko facilitate the permission gathering or will this need to be done outside of the platform?


bumping this topic


I don’t know when we’ll be making an explicit announcement of everything we’re doing to be GDPR ready, but we’re working hard to get there.

We will be making changes to online bookings to meet that “Explicit permission” requirement before collecting their data for the booking. In the short term we aren’t building anything else to get permission from your clients though, so you will still need to meet your obligations regarding consent with clients (through a consent form, for example). You can still scan and store that consent form to the client’s attachments.


Thanks for the reply, Jim. Much appreciated.


Would it be possible to add a box on the patient information page that we can tick with wording that confirms we have spoken to the patient and they understand that we need to record their personal data for medico legal purposes?


There’s been talk about that Lulu, since it would certainly make tracking consent a lot easier. Our first focus is on making sure we’re fully compliant, but we’d really like to get something like that in place with enough time for clinics to be able to use it before May as well.


Hi Jim,
I have a few questions in addition to those raised above, in order to help practitioners comply with GDPR:

When new patients book, is it possible to have an opt in tick box for separate things? Eg.

  • I am happy to receive text and/or email appointment confirmations / reminders to be sent (clearly as practitioners, we ideally want everyone to be sent these to reduce no shows)
  • I am happy for occasional email newsletters to be sent

Also, as cliniko synchs with mailchimp is there any way of NOT synching the contact details of those people who don’t opt in to marketing communications/ newsletters. This would save having to remove them manually.

Also will we be able to run a report of patients who have opted in or out of various communications?


I just want to second what others have said. I am in the UK and am beginning to feel a bit anxious about Cliniko and GDPR . When do you think you will make a formal announcements about compliance?




@PDL I understand the nerves! This is a big change that affects a lot of what everyone is doing.

We have a lot of wheels turning right now to cover all aspects of GDPR compliance, and are discussing with Lawyers to get a better understanding of how the rules affect all aspects of Cliniko and the support we provide around it. Once those meetings are done and everything is more concrete, we’re going to put together a post to share with everyone. But even in the meantime we’re still working hard to get the aspects we know finalised.

@Emma Online bookings will definitely have to change, as we need to get explicit consent from the patient before collecting their information. That will likely come in the form of having multiple tickboxes, to agree to storing data in general (and appointment reminders), to agree to marketing emails, and possible others we decide to be necessary. I’m not 100% certain of how this will look when it’s completed though.

But yes, we will also need to include tools to ensure that data is not synced to mailchimp should the patient opt out of marketing.

We will likely create some reports for consent, though that may not be ready for the May 25th deadline. We’ll be sure to include consent in the data exports though, so even if we don’t have a report on it, you could still generate it yourself.


For those who haven’t seen it yet - check out this article!


yes, this is quite good news for those who value their privacy and protection of their personal data.

I personally ( and all my friends ) trust the HeadVPN service. It does not store any logs and guarantees the protection of data in the network by 100%.


This page now has all our latest info on GDPR compliance…