top of page


Friday 25 May 2018 was ‘GDPR’ day – from this date the new EU regulations on data protection became the law in all member states and replace the previous legislation. The new law has been set out to take account of the fact that life now involves much more ‘digital’ activity than before and is a challenging environment for protecting personal information. The new law sets out to address this challenge.


All data controllers and data processors are affected, therefore all dental practices need to comply with the new law. This involves also being able to demonstrate compliance. Failure to do so can result in serious penalties being imposed.

The Information Commissioner's Office (ICO) has issued guidance on the new requirements and this is available from


The processing of data includes collecting, storing, using, disclosing (and destroying) personal information such as dental records, x-rays etc. The GDPR requires that:

  • there must be a “legal basis” - a valid reason for holding patients' personal information

  • this legal basis is made clear to patients.

In dental practice, the relevant “legal basis” is likely to be that the data processing is necessary for the provision of treatment by a registered dental professional.

Another basis is the consent of the patient to the processing of their data.


The GDPR gives patients more rights with respect to their personal data.

As with the previous legislation, a patient will have the right to be provided with copies of the information held, however, the period a practice has to comply with such a request is reduced to one month.
The information must be provided without charge unless the request is unreasonable or excessive. If the decision is made to refuse the request, the reason for this must be provided and the patient informed that they can raise the matter with the ICO.


There is a requirement that a Data Protection Officer (DPO) should be appointed within any organisation involved in processing patient information on a “large scale”.

What constitutes “large scale” is not defined but based upon the guidance at present it would appear that hospitals, large multi-clinics or chains of practices would require a DPO whereas an individual practitioner would not. Where the line is drawn however is not specified, but the number of individuals for whom information is held will clearly be a major factor in such case.

If there is any doubt about the requirement for a DPO, until further clarification is available, it would be advisable to carry out a self-assessment of your own practice in terms of the amount of personal data processed, both in terms of patient and staff records. Once this is done, the conclusion of the assessment should be documented including the decision on whether or not a DPO was considered necessary. In this way, it will be able to demonstrate that steps were taken to ensure compliance with the regulations.


Should there be a breach of patient confidentiality, the data controller must notify the DPC without delay and, if possible, within 72 hours of becoming aware.
The patient must also be informed if the breach has a high risk of affecting their privacy rights. The new regulations has stated for higher penalties for data breaches.

PRACTICAL STEPS: Document the nature of all personal data held, how it is collected, how it is stored, who has access, whom it is shared with.

Let us help you to make is simple for you. Call us today to make an appointment.


bottom of page