Data protection laws have changed: what next?

Featured Products Promotional Features

  Posted by: Dental Design      1st November 2018

Data Protection: two words that many clinicians rarely want to hear. For years, they have been used to stop things from happening. Too often in the past, data protection laws have been misread, misunderstood, and misapplied.

This is why, for many, data protection laws such as the GDPR and the Data Protection Act 2018, which have applied in law from 25 May onwards, can sometimes feel like distant concepts that have little to do with clinical practice. However, nothing could be further from the truth. Information, whether paper-based or electronic, is the lifeblood of a dental practice. It is often only on the rare occasion when it isn’t there, if a file goes missing or IT systems are down, that its value is truly appreciated and data protection laws come to the fore.

Working in the healthcare sector, many dental practices were already in a relatively good position to transition to the new data protection regime. They were, for example, already subject to various stringent obligations under the common law, such as the duty of confidentiality to patients, and the Standards for the Dental Team, not to mention their duties to the CQC.

That said, there is certainly no room for complacency and, as it often the case when a new law comes into force, there is still a significant amount of work that needs to be done. As the Information Commissioner, Elizabeth Denham, said just before the new law started to apply, preparations for the GDPR ‘don’t stop on 25 May 2018’, adding, ‘organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.’ In particular, dental practices need to continue to monitor developments of best practice under the GDPR and what they will need to do under, for example, the NHS Digital’s Data Security and Protection (DSP) Toolkit.

However, it is clear that this hasn’t always been easy. Many practitioners have been frustrated by the lack of guidance, or guidance being published late, from organisations such as the ICO and the IGA/ NHS Digital (at the time of writing, the latter has yet to publish key guidance on a variety of topics). In fairness, though, this shouldn’t really be a surprise. The Data Protection Act 1998, which complements the GDPR, only received Royal Assent two days before the GDPR applied. Even with the best will in the world, it is difficult to see how much of this guidance could have been ready in time when the exact terms of the Act weren’t known.

So, ‘we are where we are’. Those responsible for GDPR compliance can only deal with the current guidance available to them. What this also shows is that the GDPR—and the compliance regime based on it—isn’t a fixed deadline, rather it is a constantly evolving set of requirements that needs to be monitored and implemented in a dynamic way. Ticking a box which states ‘GDPR done’ simply isn’t an option.

Here’s a reminder of some of the most significant changes:

  • Fines for not complying with the data protection laws have been hiked up significantly. That said, the ICO has played down the prospect of large fines being levied as a matter of course. It states in its draft Regulatory Action Policy that it will target its most significant powers for organisations and individuals suspected of ‘repeated or wilful misconduct or serious failures to take proper steps to protect personal data’.
  • Practices will no longer be able to charge for subject access requests except in limited circumstances. This means that practices may well be dealing with more requests from patients to see their information.
  • it is likely that more data breaches will need to be reported to the ICO and practices will have an extremely short time frame to do so (72 hours). If your practice is obliged to use the DSP Toolkit, breaches must be reported through this mechanism. This is now open for registration and NHS Digital is encouraging practices to do this as soon as possible.
  • The DSP Toolkit is something that practices should be looking at in any event. There are numerous obligations within it which may take a practice time to implement before the end of the financial year.
Updated Data Protection Principles


When personal data is handled, dental practices need to comply with the updated data protection principles set out in the GDPR. Here are the principles, stripped of all legalese:

1   Keep it lawfully & fairly and be clear why you’re keeping it

If it ‘feels’ wrong, it probably is. Data must be dealt with lawfully, fairly and in a transparent manner.

2  Keep it only for the reason you need it

Don’t collect data for one reason and then use it for something totally unrelated.

3  Keep it minimised

Don’t collect data just because you can. Only keeping personal data that you need also minimises the risk to your practice.

4   Keep it accurate

Data should be accurate and, where necessary, kept up to date.

5  Keep it for no longer than necessary

Fortunately, there are various other laws and NHS guidelines which say how long we must keep certain information (such as our dental records).

6   Keep it secure

You need to make sure that you do all you can to prevent any unauthorised or unlawful processing, loss, damage or destruction.


7   Show you have complied with principles above

You may need to show to the relevant authorities how you are complying with the new rules, particularly if there has been a breach.

As always, there are exemptions to these principles. There is no substitute to looking at the GDPR, the Data Protection Act 2018 and related laws and guidance themselves.


For more information about the ADG visit


The views expressed in this and similar editorials by individual ADG members are intended to stimulate constructive debate about current issues in dentistry. Thoughts are the authors’ own and not necessarily those of the ADG.


Paul Caddy is the Data Protection Officer at mydentist, the UK’s largest dental chain. He is responsible for ensuring compliance with data protection laws such as the GDPR and the Data Protection Act 2018.




No Comments

No comments yet.

Sorry, the comment form is closed at this time.