dental banner

“ We only act

for dentists

New Data Protection Rules: Is Your Practice Compliant?

The new General Data Protection Regulation (GDPR), which will replace the existing Data Protection Act (DPA), takes effect from 25 May 2018. 

It increases the obligations on all UK businesses, including dental practices, to safeguard the personal information of EU residents which is stored by them – be they customers, suppliers, employees or patients. 

The GDPR is more extensive in scope and application than the current DPA. The Regulation extends the data rights of individuals, and requires practices to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.

The GDPR will apply to data ‘controllers’ and ‘processors.’ The definitions are broadly the same as under the DPA- i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. 

Processing is about the more technical end of operations, like storing, retrieving and erasing data, whilst controlling data involves its manipulation in terms of interpretation, or decision making based on the data. One key new feature is having to show how you comply with the rules. Evidencing compliance is known as the ‘accountability’ principle. 

Things like staff training and reviewing your HR policies are examples of compliance – and you will need evidence to prove you have done it. Under GDPR, higher standards are set for consent. Consent means offering people genuine choice and control over how you use their data.

GDPR is going to affect all businesses including dental practices, so how should you go about preparing for it? It is important to ensure that everyone within the practice is aware of their responsibilities and this includes the entire workforce, from directors to cleaners. 

Don’t think that it really only affects the technology side of your practice because you need to review all your processes to ensure they are watertight. Personal data covers HR records, patient lists, contact details – in short any data you hold that can be processed to uniquely identify a person. One of the first things to do is to appoint a Data Protection Officer (DPO).

Your DPO will be responsible for controlling GDPR within your organisation and be able to coordinate matters. All employees must have a thorough understanding of what data within your practice organisation counts as ‘personal’, where it is kept, who has access to it and how to spot breaches when they occur and ensure it is reported to your DPO. 

If you hold contact details for any of your patients or perhaps have a database containing personal contact information which you may use for marketing purposes, you must ensure that you have obtained the individual person’s consent for you to hold the data. Simply asking them to tick a box if they wish to be removed from your database will no longer be acceptable.

They must physically opt in to receiving communications from you, and so many current databases will not comply. 

There are six principles which sit at the heart of GDPR and these are that personal data must be:

  • Processed lawfully, fairly and transparently 
  • Adequate, relevant and limited to what is necessary for processing 
  • Accurate and kept up to date 
  • Kept only for as long as is necessary for processing 
  • Processed in a manner that ensures its security 
  • Only collected for specified, explicit and legitimate purposes 

Tough penalties can be imposed for noncompliance and getting it wrong. Businesses found in breach of the Regulation may be fined up to 4% of annual global turnover or 20m euros, whichever is the greater (despite the fact that most dental practices don’t worry about their “annual global turnover”!!!). 

In summary GDPR will affect ALL businesses be they dental practices or accountancy practices and there is no way around it. This article highlights just some of the main features of the new rules. Further information on the GDPR, including details of the compliance requirements, can be found on the ICO website,