The UK GDPR uses terminology that people may find confusing. It also defines a number of roles and responsibilities and introduces some new roles. These are explained below:

Personal Data
Name, address, date of birth, doctor’s name and address etc.


Special Category Data
Includes sensitive information such as medical history, medical and dental records, ethnic origin, race, political opinions, religion, trade union membership, genetics, biometrics, health, sex and sexual orientation. It also includes DBS checks, Hepatitis B status.
Data Processing

Includes collecting the information about an individual, using it, storing it, securing it etc. UK GDPR applies to all businesses and organisations and to all personal data held about individuals. In a dental practice, this means patients, employed and self-employed team members, referrers and anyone else that the practice processes data for.

Personal Privacy Rights

Under UK GDPR, all individuals who have personal data held about them have the following personal privacy rights:

  • Right to subject access
  • Right to have inaccuracies deleted
  • Right to have information erased
  • Right to object to direct marketing
  • Right to restrict the processing of their information, including automated decision-making
  • Right to data portability.
Automated Decision Making
This includes all decisions made without human intervention e.g. email reminders to book an appointment or text or email reminders of appointments, direct marketing i.e. all decisions that are taken automatically.
Data Portability
The ability to take personal data elsewhere e.g. to another dental practice or employer.
Legal Basis for Processing Data
There are six legal bases for processing personal data and you must be able to justify and articulate the legal basis on which you collect and process all personal data that you hold. You must also document the legal basis on which you collect and process all personal data that you hold
Data Protection Impact Assessment
A data protection impact assessment is the process of systematically considering the impact on privacy any project or initiative could have on the privacy of individuals.
Data Protection by Design and Default
Data protection by design and default means that everything you do or plan to do such as new projects and initiatives are always planned and executed with privacy in mind. Everything should be always ‘designed’ with privacy in mind and that is your ‘default’ position.
Data Protection Officer

A person designated or appointed to ensure the business complies with UK GDPR.