The World's Highest Rated
Dental Marketing Agency
5 445+
Dental Marketing Blog

GDPR for Dentists and Practice Managers

If you’re a dental practice owner or in charge of implementing GDPR at the practice you work at, then it is essential for you to acquaint yourself with the General Data Protection Regulations, known officially as the (EU) 2016/679 which governs how patient data can be used and collected.


This new regulation is coming into effect on the May 25th, 2018. It is important for all dental practices to comply with these updated regulations, as failure to do so can mean a business is liable to pay substantial penalties, which has been defined as up to 4% of revenue.

Colloquially known as the GDPR, the new set of regulations is designed to replace the Data Protection Directive 95/46/EC with the intention of creating one streamlined law in regard to data privacy across Europe.

Defining personal data and sensitive personal data

Patient information can be divided between two categories: personal data and sensitive personal data. Each data type consists of different information and relates to how this data is used, stored, managed, as well as gathered.

  1. Personal data

The security of personal data, as well as how personal data is collected, is under the microscope these days. Personal data as it pertains to your dental clients extends to the patients key identifying characteristics. This includes the patients given name, middle names, and family name, as well as their residential address, email addresses, their NHS number, any information that relates to their locality as well as the IP address they use to access your clinic’s website.

  1. Sensitive personal data

Sensitive personal data consists of information that is considered protected against unauthorised disclosure and as a result, should be treated with absolute security. This includes the patient’s race or cultural affiliation or ethnic origin, religion, political orientation, mental health status, gender, and general health status, as well as their treatment history which includes their dental records as well as the treatments undertaken in your practice.

The importance of patient rights

All patients have the right to know your dental practice will keep an accurate record of data which relates directly to the treatments they have in your establishment. Patients have the right to know you will treat their data with secure processes and you have protocols in place to prevent any privacy breaches.

In addition, patients need to be informed they can see the information you store about them either in hard copy or electronic copy at any time. Patients reserve the right to correct any data if it presents with any issues, that you will act as soon as the patient requests an amendment, and you will delete or destroy the information you hold should the patient request this action.

Moving forward with compliance

  • Data audit

Every dental practice needs to undertake a thorough audit of existing records, both digital and physical. With an audit, you can establish which kinds of data you hold which will enable you to act to make sure your practice is in compliance.

  • Policy and procedures

With a full audit complete, you can move forward by documenting a full list of policies and procedures for the following crucial events as required under the GDPR.

  • Data requests

The GDPR confirms patients have the right to access their held personal data. To fulfil this request, you need to first determine the procedures you will use to action these requests. Once determined, this will serve as the standard practice all employees will use to respond to patients in a timely and efficient fashion.

  • Data security

The GDPR requires all dental practices to have policies and procedures in place to confirm the security of patient data. In order to confirm your policies and procedures are up-to-date, it is important to document your efforts to ensure they meet the demands of compliance.

  • Data breaches

If a data breach does occur, your employees need to know how to handle this for it to comply. Before the GDPR comes into action, it is important to document this process for all employees to follow.

Disclosing compliance to patients

To keep in compliant with the GDPR, it is important to inform your patient base that your practice complies and inform them of their rights. This can be achieved through an updated privacy statement displayed on your website as well as in your clinic in a highly-visible location. Get your free GDPR dental poster here.

Going forward with data collection

As a dental practice, it is part of the nature of your work to collect data. At this point, it is important to reflect on what information you are gathering and whether you have a right to do so in regard to the law. An examination of this allows you to remove any types of information that may prove problematic.

Online Ads and New Patient Enquiry Rules

If someone responds, for example, to a landing page, filling in patient details to receive a service such as a free consultation, the person has given his or her consent for you to contact them.

However, an online lead from an email marketing campaign, Facebook or Twitter ad, or something similar requires you to explicitly obtain permission in some manner to contact them. An easy way is an opt-in button for permitting contact for marketing and promotional purposes.

The GDPR requires you to maintain a record of from where you received the data, and a means of retrieving it should the patient or prospective client ever request the information. You will have to create a searchable repository of some sort for the information.

Consider a dedicated member of staff

Personal and sensitive data security is more than just an occasional compliance issue. In fact, some practices have found success by assigning a single employee the task of managing patient information and security.

With the title of Data Protection Officer (DPO), this employee can have the added responsibility as well as the added benefit of being a valuable member of your team, tasked with ensuring all branches of your business comply with all governing legislation.

While Article 30 of the General Data Protection Regulations states that the incoming changes will not bind businesses with less than 250 employees, you still run a risk of being liable for significant fines for non-compliance, making a DPO a great choice.

General website compliance

It is important your dental website complies with all aspects of the General Data Protection Regulations. This includes:

  • Patient-wide communication of a data breach if and when it occurs.
  • Data collection transparency by way of a privacy policy which informs users of the type of data you are collecting, why you are collecting it, and how you are storing it.
  • An easy to use process for patients to request personal information or request an alteration to existing information.
  • Policy in relation to cookies, which is a unit of data stored on a patient’s computer while the user is browsing your site.
  • Ensuring all patient information entered on the website is sent via a secure means to your dental practice, which may involve a technical update to your web design.

The implications for marketing

The General Data Protection Regulations tightens up the loose ends of direct marketing in the following ways:

  • Your dental practice must confirm consent with a patient or potential patient before you send them direct marketing emails.
  • Your dental practice must confirm consent with all previous patients who may have interacted with your business online via email, as acting without consent contravenes the regulations regardless of whether that patient has been in contact with you at any stage in the past.
  • Your dental practice must not purchase any mailing lists or any other list of emails in order to send direct marketing campaigns. Doing so is a violation of the regulations and would be classed as spam.

Going forward with email management

The best way to proceed with your current patient email database is to individually email them notifying them of the changes and directly asking them whether they wish to continue to receive communications from your business. In doing this, it is important to:

  • Be clear about the function of potential emails and allow patients to choose between marketing emails and informative emails.
  • Keep a record of clients who consented to continue to receive emails as well as ensure you delete patients who fail to reply or who decline to provide consent.
  • Continually update your consented email list.

Overall, it is important for every dental practice to ensure they comply with the upcoming changes next month. With a bit of preventative action now, you can be sure your business will run smoothly through this time of transition with little change you will be found in violation of the new regulations.