Internet Explorer and Edge browser users:
To download Word, Excel or PowerPoint files please right-click on the file you wish to download, and select 'Save target as...'

What associates need to know about GDPR

Blog Author Alan Pitcaithley

Blog Date 24/10/2018

What is GDPR all about?

The  General Data Protection Regulation 2018 (GDPR) is the name given to new European law on data protection. It seeks to ensure that you know who has your information, what information they have and what they are doing with it.


GDPR goes further than the Data Protection Act 1998 by making sure that anyone holding personal information use it correctly.


New requirements include:


  • Auditing the types of information that you hold and what you do with it.
  • Having a valid reason for using and storing information in the way that you do
  • Letting people know that you hold information about them and what you do with it.

Are associates a Public Authority?

The GDPR requires that all Public Authorities appoint a Data Protection Officer (DPO).


If you are a principal in Northern Ireland or a contractor in Scotland you will need to appoint a DPO. In other words, unless you treat all the patients on a wholly private basis, in Northern Ireland and Scotland both practice owner and associate need to appoint a DPO.

In practicable terms the practice owner can agree, as part of the associateship agreement, and also as part of the data processing agreement (see below) that they [the practice owner] will provide the associate with a DPO as part of the licence fee the associate pays the practice owner.


What the role of a data protection officer?

  • To make sure the practice owner understands their responsibilities under GDPR
  • To monitor practice compliance with GDPR, train staff, make sure everyone knows what they are supposed to do
  • Where necessary, ensure that impact assessments are done – for example, with the introduction of new technology to deal with personal information
  • Cooperate and liaise with the Information Commissioner's Office (ICO)

Are associates data processors or data controllers? Do Associates need to pay a registration fee to the ICO?

Only data controllers pay a data protection fee to the Information Commissioners Office. Most associates (and other self-employed contractors at the practice) are not controllers, so will not need to pay a data protection fee. They may be controllers if:


  • They have their own patient following
  • They see their patients at other practices as well as at the practice in question
  • They use patient information for their own ends, such as to promote their specialism
  • They are a specialist at the practice and have their own pricing.

Do associates need to issue privacy notices?

Personal information is any information that allows an individual to be identified. Where you hold personal information, you must give the individual a privacy notice that describes:


  • What information you hold
  • How long you hold it for
  • What you do with it, and
  • Who you might share it with. You must also let them know about their rights in relation to this information.

An associate will only need to issue privacy notices if they have registered with the ICO as a data controller.

The important thing is to ensure that your patients have easy access to your privacy notice.


Do associates need data processing agreements with practices?

GDPR requires that data controllers have a data processing agreement in place with any data processors. Therefore, most practice owners will need to have a data processor agreement in place with their associates.


The agreement will state that the data processor will only use the information they have been given for the specific purpose it has been provide for and that they will keep it secure


Referrals to and from other practices

Referral practices are usually controllers and will have their own privacy notices.

You should discuss any referral you wish to make with the patient and get their agreement to be referred and to passing relevant personal information to the specialist or referral practice (which should be identified). As you are passing on information for medical purposes and have the agreement of the patient to do so, you do not need further consent to satisfy GDPR requirements.

If a patient has been referred to you then you must give the patient your (practice) privacy notice within one month of accepting the referral. Acknowledging a referral, provides you with the opportunity to include your privacy notice or providing a link to your website.


Can I still send appointment reminders and recalls?

You do not need the patient's consent to send appointment reminders and recalls but you should check that they are happy to receive them and their preferred method (email, text, letter, for example). If the patient objects, you should not send reminders or recalls.


Got another question about GDPR?

Find more information and resources for BDA members on GDPR.


Get your contract checked for free

This might be a good time to get your associate agreement checked, to ensure it includes information about your data protection responsibilities – the BDA offers a free associate contract review service to members, just email your contract through to

Alan Pitcaithley, Practice Management Consultant

Adapted from an article by Pitcaithley, A. What associates need to know about GDPR. BDJ In Practice 2018; 9: 37.

Improving working lives for younger dentists

We support dentists in at all stages of their careers and our Young Dentists Committee and GDPC Associates Group aim to be the voice of those starting out in dentistry and those mid-career.

They work on a range of issues, including pay and conditions, education and training, career pathways, the impact of dental regulation and stress in the profession, and dental health and science issues.

Read the latest news via our blogs. If you'd like to contribute to our blogs new submissions are always welcome, please get in touch.

With each new member, our voice and our influence grows. Add your voice, join today.