GDPR & Your Practice

GDPR in a nutshell.

GDPR exists to protect everyone’s personal data, and updates to this legislation affect all businesses that handle personal data. The UK has adopted a version of the GDPR (“UK GDPR”) that mirrors all the same principles. . ‘Personal data’ refers to any information collected about a person. For example, any instance in which a person fills out a web form, requests a call back or signs up to a mailing list, they pass on their personal information to that business. So, as a dental practice with a database of patients and potential patients, UK GDPR directly applies to how you manage this kind of personal data (such as email addresses, telephone numbers, dates of birth, treatment notes, photographs, etc.).

You. As the dental practice you are the Data Controller. You own, store and are responsible for data about your patients, and those who may be interested in treatment (your leads).

DenGro. As the solution that supports you, the dental practice, to manage and process data about your leads, DenGro is the Data Processor acting on your instructions.

Your practice responsibilities.

As a dental practice, you are a Data Controller (in GDPR lingo), which means that you make decisions about how the information about your patients is used, as well as data for those who may be interested in treatment.

Lawful basis for holding data

You can process data provided you have a lawful basis for doing so, as defined by the ICO.

We recommend you seek professional legal advice as the relevant legal basis will vary across different practices. It could vary for example if you are capturing leads for new or existing patients.

It is worth noting that an enquiry about treatment will not be based on consent as the person interested in treatment needs to provide their information for that purpose. It will fall under “legitimate interests” of the practice. Consent will be relevant to any marketing that a practice may also want to send following an enquiry.

Consent may not be appropriate for all messaging. There is a difference between service messages and marketing messages. Service messages (e.g., your appointment is at [date & time] do not require consent.

You may want to rely on gaining consent at the point you capture data using opt in fields. Opting in should be clear and transparent, with no long words or jargon, and it must be clearly logged.

If you take this approach, it is important that consent is captured irrespective of the channel of communication that they reach you by. So, you may wish to review your telephone scripts to include a request for consent in preparation for when a new lead calls the practice directly.

How DenGro is helping you with consent

Our aim with DenGro has always been to make your practice life simpler, so we make it easy to stay on the right side of GDPR* with minimum hassle.

• We can provide you with the details required to capture consent, and we can also supply you with pre-written consent wording that you can drop straight in, should you need it (you can modify this to make it personal to your practice).

• When you manually enter a new lead into DenGro, you will be able to document any consent you have gained. Using your team members’ login, DenGro can record who in your practice has recorded the consent too, and so keep a nice, neat audit trail. This also acts as a helpful reminder for your team that consent should be recorded if this is relevant to your practice.

• Within DenGro, you will also be able to clearly see what consent has been documented for a particular lead, so it should always be clear what you can do with the data.

• Within DenGro, you’ll also be able to clearly see what consent has been documented for a particular lead, so it should always be clear what you are allowed to do with the data.

*As the Data Controller, the responsibility for gaining consent to process personal data lies with you. This isn’t new; it’s detailed in the Subscription Terms and Terms of Use accepted when signing up and first accessing DenGro.

Individuals’ rights to view, amend or delete personal data

Individuals have more extensive rights to view the data you store about them, and require that you amend or completely delete that information at their request.

Your Privacy Policy should be updated to reflect this in line with the GDPR.

Your practice may receive requests to view, amend or delete personal data. For new leads, DenGro automations (emails and SMS messages) will have a link where the lead can manage their contact preferences.

You can action data requests using DenGro by completing one of the following actions:

• View. Export data straight from the lead detail page in DenGro, ready to send to your lead as a .CSV file.
• Amend. Changes to data can be made directly in DenGro (you can also then export and send the amended details).
• Delete. Should you ever receive a delete request from a lead directly, you can easily delete all their data within DenGro. If we receive a request to remove consent, we’ll display it on your dashboard, where you can remove the data in DenGro at the click of a button. (You’ll potentially need to remove that lead’s data from other places you’ve stored it too.)