GDPR for Dentists

27 February 2018 | | Blog

10 minute read.

GDPR is coming! Are you prepared? In this blog, I’ve tried to summarise the position relating to ‘marketing for dentists’.

About GDPR

What is GDPR?

GDPR is the General Data Protection Regulations (officially (EU) 2016/679). Whilst it may have new aspects it is not really new, it’s just an evolution of current European rules on data privacy and protection and aims to strengthen individuals’ rights regarding the collection, use and storage of their personal data. The penalty for ‘non-compliance’ can be up to 4% of turnover.

So, what Counts as Personal Data?

Any data that can be used to identify a living person directly or indirectly is classed as personal data. eg Name, Address, Email address, NHS number, Location data, IP address (computer details used to access your website)

And, what is ‘Sensitive Personal Data’?

As the name implies this is a special class of data and includes Race, Health Status (ie oral health, dental records, treatments etc), Marital status etc.

What rights do patients have?

In essence your patients need to be assured you only store the data you need, you keep it secure and safe, you allow the patient to view it if they want, and if there are any errors, you will make any alterations the patient informs you about, and if they want the data ‘deleted’ you can activate this.

Data storage, Practice Management software etc

What do I have to do?

  1. Audit all personal data held – find out what you hold and why
  2. Document everything – plan and write down policies and procedures for:-
    • Access requests – how will you fulfil any requests to view personal data held?
    • Data security – detail what you’re doing to keep the data safe
    • Data breaches – ensure you will know if there is a data breach! And who to inform
  3. Inform your audience – update your privacy statement – more detail below
  4. Identify a legal basis for all your personal data collection activities
  5. Consider having a Data Protection Officer (DPO)
  6. This blog doesn’t propose to cover items 1, 2, 4 or 5 above, and we’d recommend you speak to your Defence Union, IT suppliers, Practice Management Software suppliers etc to get more detailed advice on these matters. But, at the bottom of the page, there are a number of links you may find useful.

    You’re only a ‘small practice’ so are you affected by GDPR?

    No matter how small you are you have to securely collect, store and use personal information. Whilst, ‘article 30’ of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR if you use the data regularly (ie practice management software), or have a ‘data breach’, GDPR will certainly apply to you, and therefore the potential fines!

    You’re a dentist so does GDPR apply to you?

    Many dentists feel that as ‘medical practitioners’ the rules don’t apply to them. Certainly, under point 4 above, you have a legal basis for collecting and storing data about your patients. But, you will still have to comply with data security etc, and, whilst you’re obviously entitled to email patients about ‘appointments’, if you’re deemed to be ‘marketing’ you will need to have received ‘permission’.


    Okay, so with all the official info’ out of the way, and now that we’ve established that GDPR does apply to you, let’s talk about how to make sure your website is compliant:-

    1. Breach notification – Under the GDPR compliance, if your website experiences a data breach of any kind, the breach needs to be communicated to your users. You’re therefore under a legal requirement to assess and monitor the security of your website. Here at Dental Design, we monitor all of our sites constantly, but if you’re not a client, you could install software such as ‘Wordfence’.
    2. Data collection, processing and storage –
      • You need to publish a detailed ‘bespoke’ privacy policy as to what data you’re collecting, how you’re storing and what you’re using it for. Don’t just copy and paste one, make sure that it’s tailored to your practice and the data you hold.
      • You need to provide an easy method for people to request the information you hold on them.
      • You need to enable a person to alter/ correct the information, or have it permanently deleted if they desire.
      • ‘Cookies’ are covered under the ‘ePrivacy regulation’, separate from GDPR. Its implementation date was supposed to coincide with GDPR, but it will likely be delayed as it’s still in draft!
    3. Security
      • Whilst ‘secure servers’ ie SSL, HTTPS are not specifically covered by the GDPR, if you’re not hosted in this way, you (and your visitors) can’t be certain your data/ content is secure. Google will be warning surfers to your site if you are not on a secure server from June, and so not only do you risk data breaches, but also losing rankings and therefore visitors. So a bit of a ‘no-brainer’! As a result we now only host our clients on secure servers, if you’re not with Dental Design, speak to your web company to ensure you are ‘secure’!
      • In the past only ‘referral forms’ ie those containing medical information, needed to use ‘secure form’ systems. The majority of forms on websites currently send the information via email to the practice. Therefore the data is travelling ‘insecurely’ over the internet from the form to your email account. To ensure the security of data a ‘secure form’ system whereupon the data is not transmitted, but merely ‘stored on the secure server’, and can only be downloaded using a specific password, is ‘best practice’. Here at Dental Design, we offer a ‘secure form ‘ option to all clients, and if you’re not with us, I’d recommend you ask your web company to install one for you to ensure you’re compliant.
    4. Direct Marketing

      GDPR is very hot on the subject of direct marketing and it is clear that you must have received explicit consent from a person before you can email them.

      As dentists you no doubt have collected over the years many many emails from your patients, and you would imagine that it’s ok for you to send recalls and reminders, but, to date, I’ve seen nothing in writing that confirms this. However, it is written that before you can market to anyone (so informing patients about a special offer, or new treatments available etc) you must have garnered ‘explicit consent’, so even if the tick box on your website’s form is set as ‘agree’ by default, this would count as a ‘violation’!

      There are other implications too – if you wish to buy a mailing list, say from a local newspaper, you would be sending emails illegally to the recipients since no one explicitly asked to receive emails from you.

      So, to my mind, best practice would be for you to email to every patient and ex-patient whose address you have, requesting them to ‘opt in’ to receive emails from you. You need to:-

      • Clearly state what you will be emailing about, therefore specifically stating ‘marketing and promotional’ information.
      • Keep a record as to when ‘consent’ was received
      • Provide a method by which people can alter their permission, or opt out
      • Once you have this ‘clean list’ you need to make sure it is constantly updated with all new emails you collect, and that everyone has ‘agreed’ to being mailed.
      • If you don’t get ‘consent’ then remove the email from your list. If nothing else, it probably means the email address is out of date, and therefore not worth using!

      Final thoughts

      So to sum up, GDPR compliance shouldn’t be too complicated for a small practice, but everyone needs to be thinking and acting to ensure they do not run the risk of falling foul to the changes.

      Useful further reading:-

      What does GDPR mean to me and my small business
      Problems with Medical Practice Management Databases in the UK
      Preparing for the General Data Protection Regulation (GDPR)
      GDPR COnsent Guidance

      More posts from our team

      Previous Post:
      Next Post:

      Back to all news

Five Star
Reviewed Marketing
5 gold stars
google review logofacebook review with 5 stars
"Excellent service from James at Dental Design, thank you very much for your prompt attention whenever I get in touch! Would definitely recommend to a friend" Alison Tarmey View Full Testimonial
Google reviews logo "Would definitely recommend to a friend"
5 gold stars
"As a dental practice manager I cannot recommend Dental Design highly enough. They are just brilliant at what they do. Lucy and her colleagues are just an email or a phone call away...." Emma Smith View Full Testimonial
Google reviews logo "I cannot recommend Dental Design highly enough"
5 gold stars
"Really great company to deal with. They always respond quickly and are truly reliable. I would 100% recommend, the staff are so friendly and helpful." Michelle Molloy View Full Testimonial
Google reviews logo "Really great company to deal with"
5 gold stars
"I got increased traffic and new patients applying to my surgery, once Dental Design upgraded my website. They are very professional, efficient & adaptive to new situations..." Joanna Gallop View Full Testimonial
Google reviews logo "Very professional, efficient & adaptive to new situations"
5 gold stars
"Lucy has been a star, responding to and acting upon our requests in a prompt, efficient and professional manner, as well as the rest of the Dental Design team..." Abhay Shah View Full Testimonial
Google reviews logo "I cannot recommend them highly enough"
5 gold stars
"...Since the website has been up and running Lucy Mander has been our point of contact. She has been invaluable and gone out of her way to help us, especially during COVID-19 lockdown... " Lucy Jones View Full Testimonial
Google reviews logo "Has been invaluable and gone out of her way to help us"
5 gold stars
"Thank you for all your help and support, and the provision of valuable learning aids for our patients and staff alike in these difficult times. We love the look of our practice website. Very professional!" Sandra Luck View Full Testimonial
Google reviews logo "We love the look of our practice website. Very professional!"
5 gold stars
"Dental Design stood out both in their knowledge of the industry and their professionalism and can-do attitude. All of their staff are exceptionally competent and knowledgeable..." Harvey Rook View Full Testimonial
Google reviews logo "Dental Design stood out both in their knowledge of the industry and their professionalism"
5 gold stars
"Having done extensive research into all the dental website companies, the team and package offered at dental design was unrivalled..." Neil Shah View Full Testimonial
Google reviews logo "The team and package offered at dental design was unrivalled"
5 gold stars
"The team at dental design (especially Rosie) are absolutely fantastic and are always on hand to help. They are professional, friendly and extremely efficient. Rosie always gets back..." KiKi Wilmot View Full Testimonial
Google reviews logo "absolutely fantastic and are always on hand to help"
5 gold stars
"Dental Design are fantastic to work with, our website is amazing and the support they provide is second to none. Our account manager Rosie L is a fabulous point..." Luke Lucas View Full Testimonial
Google reviews logo "Dental Design are fantastic to work with"
5 gold stars
"Having worked with the Dental Design team for the last six months, I've found them not only helpful, but friendly and approachable too. I bombard Marcus with regular..." Sophie Harper View Full Testimonial
Google reviews logo "always met with a swift and professional response"
5 gold stars
desk with branded documents