GDPR Compliance: Essential Checklist for Dental Practices

This blog outlines fundamental requirements to ensure compliance with GDPR regulations, tailored specifically for dental practices. Making sure both yours and your clients data are protected.

Item 1 : Privacy Notices

A privacy notice is mandatory and must provide patients with the following information:

Explanation of the lawful purpose for processing their personal data, typically falling under Article 6(1)(e) of the UK GDPR, which pertains to “…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…” Additionally, Article 9 covers special category data, such as personal data about health.

Clarification of retention periods for the data.

Identification of entities with whom the data will be shared.

Item 2: If you provide NHS dental services, you must appoint a data protection officer (DPO)

Practices providing NHS treatment are classified as public authorities and must appoint a Data Protection Officer (DPO) or establish arrangements to share one. The designated individual should possess proven expertise in data protection law and its application. Remaining aware of any regulatory updates or clarifications, particularly from bodies like the Information Commissioner’s Office, is essential for effective compliance management.

Options for appointing a DPO include:

a) Hiring a new staff member with specialised knowledge, qualifications, and experience.

b) Designating an existing practice member who possesses the necessary qualifications and experience. This individual can integrate DPO responsibilities with other duties, such as maintaining records of processing activities. However, DPOs must not hold final decision-making authority regarding data processing and should avoid conflicts of interest.

c) Sharing a DPO with one or more practices is feasible, but considerations such as practice sizes, patient volumes, and the DPO’s capacity to understand and advise each practice while ensuring compliance must be carefully assessed.

Item 3 : Procedures in place for subject access requests

Under the UK General Data Protection Regulation (UK GDPR), individuals hold the right to request access to their records. It is imperative to exercise caution and redact any third-party information or material that may pose a significant risk of harm to the patient.

Moreover, the UK GDPR, along with the Data Protection Act (DPA) 2018, exclusively pertains to the data of living individuals. Deceased patients’ records in England, Wales, and Scotland remain governed by the Access to Health Records Act 1990, while those in Northern Ireland are subject to the Access to Health Records (Northern Ireland) Order 1993.

Dental professionals must also adhere to guidance provided by the General Dental Council (GDC) regarding the maintenance and protection of patients’ information.

In compliance with the UK GDPR and DPA 2018, certain considerations must be taken into account when handling subject access requests:

a) Subject access requests are not restricted to written form.

b) Individuals cannot be levied charges for record copies unless the request is deemed “manifestly unfounded, excessive, or repetitive,” in which case a reasonable fee may be applied. However, the determination of what constitutes such requests and a reasonable fee remains undefined. Dental professionals should exercise discretion, considering their obligations outlined in paragraph 4.4 of the GDC’s Standards for the dental team.

c) Information must be provided within a one-month timeframe.

d) Detailed documentation of access requests is essential, encompassing any delays in information provision, instances of “manifestly unfounded or excessive” requests, and information provided regarding the right to lodge a complaint with the Information Commissioner’s Office (ICO) or seek judicial remedy.

Furthermore, insurance companies, solicitors, or other third parties should not incur charges for records requested under subject access requests with patient consent. However, requests for information or reports by third parties should be processed in accordance with standard procedures.

Item 4 : Evaluate Data Protection Fees

The Data Protection (Charges and Information) Regulations came into force on 25 May 2018. These regulations introduced new fees for data controllers. The regulations set the charge period when the fee is due and fix the amount to be paid.

The amount you need to pay will depend on how many people you have in your organisation.

All Med Pro is constantly looking for ways to improve our service and provide education to our clients. Therefore, we do not stop with just providing your dental indemnity insurance. We take the next step by offering podcasts, CPD webinars, and informative blogs to keep you informed of any new research or news you need to be aware of.

Ready to make the switch to All Med Pro? Whether you need dental indemnity, dental practice or other insurance to allow you peace of mind, we have you covered. Have a chat with our friendly team today by booking a consultation – All Med Pro (

For peace of mind that you and your business reputation are protected, contact All Med Pro for all your insurance needs.

Share this post: