GDPR exists to protect everyone’s personal data, and updates to this legislation affect all businesses that handle personal data. The UK has adopted a version of the GDPR (“UK GDPR”) that mirrors all the same principles. . ‘Personal data’ refers to any information collected about a person. For example, any instance in which a person fills out a web form, requests a call back or signs up to a mailing list, they pass on their personal information to that business. So, as a dental practice with a database of patients and potential patients, UK GDPR directly applies to how you manage this kind of personal data (such as email addresses, telephone numbers, dates of birth, treatment notes, photographs, etc.).
You. As the dental practice you are the Data Controller. You own, store and are responsible for data about your patients, and those who may be interested in treatment (your leads).
DenGro. As the solution that supports you, the dental practice, to manage and process data about your leads, DenGro is the Data Processor acting on your instructions.
As a dental practice, you are a Data Controller (in GDPR lingo), which means that you make decisions about how the information about your patients is used, as well as data for those who may be interested in treatment.
You can process data provided you have a lawful basis for doing so, as defined by the ICO.
We recommend you seek professional legal advice as the relevant legal basis will vary across different practices. It could vary for example if you are capturing leads for new or existing patients.
It is worth noting that an enquiry about treatment will not be based on consent as the person interested in treatment needs to provide their information for that purpose. It will fall under “legitimate interests” of the practice. Consent will be relevant to any marketing that a practice may also want to send following an enquiry.
Consent may not be appropriate for all messaging. There is a difference between service messages and marketing messages. Service messages (e.g., your appointment is at [date & time] do not require consent.
You may want to rely on gaining consent at the point you capture data using opt in fields. Opting in should be clear and transparent, with no long words or jargon, and it must be clearly logged.
If you take this approach, it is important that consent is captured irrespective of the channel of communication that they reach you by. So, you may wish to review your telephone scripts to include a request for consent in preparation for when a new lead calls the practice directly.
How DenGro is helping you with consent
Our aim with DenGro has always been to make your practice life simpler, so we make it easy to stay on the right side of GDPR* with minimum hassle.
*As the Data Controller, the responsibility for gaining consent to process personal data lies with you. This isn’t new; it’s detailed in the Subscription Terms and Terms of Use accepted when signing up and first accessing DenGro.
Individuals have more extensive rights to view the data you store about them, and require that you amend or completely delete that information at their request.
Your Privacy Policy should be updated to reflect this in line with the GDPR.
Your practice may receive requests to view, amend or delete personal data. For new leads, DenGro automations (emails and SMS messages) will have a link where the lead can manage their contact preferences.
You can action data requests using DenGro by completing one of the following actions:
Catch, nurture and convert leads to treatment the easy way.