GDPR Tips for Dental Practices

EU flag with GDPR
The General Data Protection Regulation takes effect from 25th May 2018 and if it’s sending your stress levels skyrocketing, relax. The bulk of GDPR will seem familiar, as it’s similar to the current Data Protection Act (DPA). By taking a few, straightforward steps now, you’ll ensure your practice will be fully compliant when it comes to storing patients’ personal, identifiable data.

Alert your team

It’s vital that everyone working at your practice knows about the changes GDPR will bring. A brief training session to bring everyone up to speed would be prudent.

Data Controller and Data Protection Officer

Whomever is responsible for the control and security of patients’ records should already be registered with the Information Commissioner’s Office (ICO), so it’s important you verify someone at your practice is registered and that renewal takes place annually. If your practice carries out dentistry under the NHS, you must also appoint a DPO. This can be someone within or outside the practice. Article 39 of the GDPR lists the following responsibilities for the DPO:

  •  To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc.).


Practices will need to keep clear, accurate records of when and how patients gave their permission. Information should be filed under relevant categories. All the relevant people working in the practice should know where the records are stored and how to delete data should patients request it. Patients have the right to revoke their consent at any time.

Privacy notice

Review your current privacy policy to ensure that it will comply with GDPR. If you need clarification of what information should be supplied to the patient, and when, see the ICO’s guidance. The policy should include the name and contact details for your data controller, and it should clearly explain how a patient can request consent to be revoked.

When consent means consent

We’ve all seen the tiny, ticked boxes at the bottom of emails and on website forms that ask if it’s okay to store your data or give it to third parties. If you don’t untick the box, that’s supposedly seen as giving your consent. In reality, people might not have read or even seen the small print. Pre-ticked boxes for consent will no longer be acceptable. You can still use empty boxes for permission to store data, etc., but patients must positively opt-in to show their consent; it cannot be assumed from inactivity or silence.
For children under 16 years of age, consent must be given by a legal parent/guardian to process personal information. You may wish to consider requiring proof of age for children who say they are 16+, and what that proof would be.

It is legal?

You will need to justify the legal basis for collecting and processing patients’ information. This should be documented and included in your revised privacy notice. If you’re collecting / using information without good cause, you could be liable to a fine.

Data portability

Patients have the right to receive a copy of personal information they have previously supplied. Sending this information electronically cannot now incur a fee. Consider how you will provide patients with this information. If your practice doesn’t already request patients’ email addresses, it might be worth collecting these to make data portability more convenient, and for sending newsletters (with consent of course).


What safeguards are in place to deter data breaches? Is your IT protection software robust enough? If a breach happened, what strategies are in place to deal with the consequences? Are your data files protected with ID protocols? A one-size-fits-all password is not enough.
The important things to take away are:

  •  get active consent from patients
  • keep precise records of when information was collected/consent given. These should be regularly updated.
  • patients must be given full details of
    • why you need the information
    • where it is stored
    • how they can obtain a copy of their information
    • how they can revoke consent
    • the name of your data controller.

If you’d like advice and help getting ready for GDPR, or there are other aspects of your dental practice that you’d like to improve, Vision in Business can help.

VIB Get in touch r


  • Share

Comments are closed.