Dentistry and GDPR – What you need to know – Moria Myers

Featured Products Promotional Features

  Posted by: Dental Design      4th June 2018







Moira Myers, Solicitor and Legal Counsel for Rodericks Dental – a member of the Association of Dental Groups (ADG) – shares some key issues that you need to know about the General Data Protection Regulation (GDPR) and the impact it will have on dentistry…


GDPR is a set of EU Regulations that become directly enforceable under UK law on 25thMay 2018. These take effect regardless of the current Data Protection Act 1998 (DPA 1998), which will be replaced by a new UK Act expected later in the year. The Data Protection Bill 2017 is currently on its way through the House of Lords and may yet be subject to change.


The primary focus for dentists, however, should be on GDPR as the new Act is not likely to make many significant changes to the new law, other than the one outlined below in relation to the meaning of ‘public bodies’.


In summary, GDPR applies to the processing of personal data – inside or outside the EU – and it imposes more onerous obligations in relation to the processing of certain special categories, which include medical data.


For the purposes of GDPR, ‘personal data’ means data relating to living human beings and includes any one or more pieces of information, which singly or when put together, could identify an individual.


The key obligation is to ensure that all personal data held by a business is:


  • Processed lawfully, fairly and transparently
  • Collected only for specified and legitimate purposes
  • Limited to what is necessary
  • Accurate and up-to-date
  • Erased or rectified if found to be inaccurate
  • Not kept longer than necessary
  • Kept and processed securely.


Of course, much of this is already contained in the Data Protection Act 1998 but in addition to building on the existing law, GDPR imposes wholly new obligations on the business owner (‘the data controller’), which completely change the name of the game.


Business owners will become responsible for and must be able to demonstrate to the Office of the Information Commissioner (ICO) that their business is in compliance with these principles and serious data breaches must be reported. The entity (‘data processor’) that actually carries out the processing of personal data (which will often but need not be the same entity as the data controller) must also keep written records of the processing. This means taking steps to ensure data is held securely and notifying the data controller in the case of a breach. There are additional obligations to be met when processing the personal data of children.


One key feature of the new obligations, which has received a lot of publicity, relates to what constitutes ‘lawful processing’. As referred to above, personal data must not be processed at all unless there is lawful justification for doing so.


The list of ‘lawful justifications’ includes consent given by the data subject, but under the new law, consent must be explicit in order to ensure validity; it must be freely given, informed and unambiguous. As a result, there are likely to be very few situations when it is safe to rely on consent to justify processing. (Quick reminder: GDPR doesn’t affect the law relating to implied consent of patients to receive dental treatment from their dentist or the professional obligation imposed by GDC on all dentists to keep treatment confidential, all of which remains unchanged.)


In the case of processing personal data falling into the ‘special category’ of dental treatment, the safer course of action may well be to rely on other ‘lawful justifications’ set out in GDPR, namely ‘healthcare or medical treatment’, ‘vital interests of the data subject’ and (for NHS dentists) ‘public health’.


Another very important ‘lawful justification’ for processing of personal data (which many businesses across all industries will very likely rely on more than any other) is ‘legitimate interest’ – i.e., that the processing is carried out in pursuance of a legitimate interest of the business. The scope of this head is potentially very wide indeed, but as an example, is likely to be to useful to justify CCTV used to protect against break-ins to surgery premises.


However, it is important to note that (assuming NHS dentists are to be treated as ‘public bodies’ – see below) it will NOT be possible to rely on ‘legitimate interest’ as a justification for processing data relating to NHS dentistry, as this very useful category is closed to public bodies. By way of example, this would mean that NHS dentists could not use the ‘legitimate interest’ justification to contact patients to advise that a new dentist has joined the practice to offer only privately paid treatments.


The potential fines that can be imposed by the ICO for breach of GDPR are very much higher than under the DPA1998, amounting to a maximum of Euro 20,000,000 or 4% of global turnover – whichever is the higher.


Another major change is the obligation imposed on businesses to appoint a ‘Data Protection Officer’ (DPO) if either they undertake large scale processing or they are a public body. The purpose of this new role is to ensure that all affected businesses and all public bodies have one individual in the business who is expert in GDPR regulations, can offer advice to the entity on its implementation of GDPR and is under a statutory duty to inform the ICO in case of serious breach.


Unfortunately for dentists performing NHS dentistry, they will be treated as ‘public bodies’ for this purpose and MUST appoint a DPO regardless of the size of the practice. The GDPR itself simply obligates ‘public bodies’ to appoint a DPO without defining what this means. While this would seem not to include dentists, a section of the new Data Protection Bill proposes to use the definition of ‘public body’ as set out in the Freedom of Information Act. This means that when that Bill becomes law, any dentist with an NHS contract will be treated as a ‘public body’ and required to appoint a DPO. It makes sense, therefore, to be prepared.


A DPO can act for several businesses and so dentists can appoint a suitably qualified DPO on a consultancy basis and therefore (unless this provision is dropped from the Bill before it becomes law), it would seem obvious that dentists in a local area should group together to jointly appoint a Data Protection Officer and share costs and expertise as well as good practice.


In addition, there are completely new rights for data subjects, including the right to be told in writing (by a document called a ‘privacy notice’) how his or her data is to be processed, and the right to insist on rectification of incorrect data.


The GDPR is designed to ensure greater protection and rights for individuals. All businesses must comply but for those handling special category personal data, such as dental practices, the obligations are more onerous. For more information on how you should be preparing, the ICO offers a guide online.[i]



For more information about the ADG visit

[i]Information Commissioner’s Office. Guide to the General Data Protection regulation (GDPR). For organisations.[Accessed February 2018]

No Comments

No comments yet.

Sorry, the comment form is closed at this time.