The GDPR uses terminology that many people find confusing. It also defines a number of roles and responsibilities and introduces some new roles. These are explained below:

Personal Data

Name, address, date of birth, doctor’s name and address etc.


Special Category Data

Includes sensitive information such as medical history, medical and dental records, ethnic origin, race, political opinions, religion, trade union membership, genetics, biometrics, health, sex and sexual orientation. It also includes DBS checks, Hepatitis B status.

Data Processing

Includes collecting the information about an individual, using it, storing it, securing it etc. GDPR applies to all businesses and organisations and to all personal data held about individuals. In a dental practice this means patients, employed and self-employed team members, referrers and anyone else that the practice processes data for.

Personal Privacy Rights

Under GDPR, all individuals who have personal data held about them have the following personal privacy rights:

  • Right to subject access
  • Right to have inaccuracies deleted
  • Right to have information erased
  • Right to object to direct marketing
  • Right to restrict the processing of their information, including automated decision-making
  • Right to data portability
Automated Decision Making

This includes all decisions made without human intervention e.g. email reminders to book an appointment or text or email reminders of appointments, direct marketing i.e. all decisions that are taken automatically.

Data Portability

The ability to take personal data elsewhere e.g. to another dental practice or employer.

Legal Basis for Processing Data

There are six legal bases for processing personal data and you must be able to justify and articulate the legal basis on which you collect and process all personal data that you hold. You must also document the legal basis on which you collect and process all personal data that you hold

Data Protection Impact Assessment

A data protection impact assessment is the process of systematically considering the impact on privacy any project or initiative could have on the privacy of individuals.

Data Protection by Design and Default

Data protection by design and default means that everything you do or plan to do such as new projects and initiatives are always planned and executed with privacy in mind. Everything should be always ‘designed’ with privacy in mind and that is your ‘default’ position.

Data Protection Officer

A person designated or appointed to ensure the business complies with GDPR.