An overview of: General Data Protection Regulations (GDPR)

This act came into effect 25th May 2018, it is a piece of European Legislation and replaces the Data Protection Act 1998. Once the law has come into effect everyone must be compliant. There are large fines in place for companies that breach these new regulations.

The Act ensures that the person whose data you are storing understands how their data will be processed and used.

You will need to familiarise yourself with policies and procedures relating to data protection.

The Information Commissioner’s Office

  • Also known as the ICO.
  • The ICO have a responsibility to ensure all data is correctly stored.
  • They have the ability to fine companies up to 4% of their turnover that are not complying with these regulations.

The Data Subject

The Data Subject is the individual whose information you have stored.

Ensure all Personal Identifiable Information (PII) is correctly stored or not stored at all.


The Data Controller

The Data Controller decides how and why the data is processed, they must be registered with the ICO.

The Data Controller will need to ensure that the measures are in place to respect the privacy and freedom of the Data Subject.

If the appropriate measures are not in place then the ICO can force changes, impose fines, and prosecute individuals.


The Data Processor

The Data Processor receives data from a Data Controller.


The Natural Person

Is any living individual

The Natural person has rights associated with:

  • Protection of personal data
  • Protection of the processing of personal data
  • The unrestricted movement of personal data within the EU


Data Protection Officer

There must be somebody taking responsibility for ensuring that your organisation is compliant.

This individual must take proper responsibility for data protection compliance and have the knowledge, support and authority to do so.

If you are a public authority, an organisation that carries out regular and systemic monitoring of individuals on a large scale or an organisation that carries out the large-scale processing of special categories of data e.g. health records or criminal convictions, then you must appoint a Data Protection Officer.


Personal Data

Every ‘Natural Person’ has personal data. The amount of personal data we hold has increased over the years and will continue to do so as the world develops.


  • Name
  • Address
  • Medical Details
  • Banking Details


Sensitive Personal Data

It is important to gain explicit consent for keeping sensitive data about an individual. Examples of sensitive data:

  • Race or Ethnic Origin
  • Political Opinions
  • Religion or Philosophical Beliefs
    Trade Union Membership
  • Physical or Mental Health conditions
  • Any allegations of any offences caused by the Data Subject Anything concerning the persons sex life or their Sexual Orientation


Exceptions to Processing of Special Categories of Personal Data

The Data Subject has given consent

It is necessary to fulfil the obligations of the Data Controller and Data Subject

It is necessary to protect the interests of the Data Subject

If the information being processed is carried out by a foundation or not for profit organisation

The personal data has already been made public by the Data Subject The information is in the public interest


Make sure that you are aware of the Data Protection changes and ensure you are up to date on all changes that are being made.

Everybody will need to work together to ensure there is minimal chance of a breach happening.


Privacy Notices

All privacy notices within your practice/organisation must be reviewed and they must be sufficient and relevant.

When you collect information from the Data Subject you need to give them your identity and inform them:

  • How you intend to use the information
  • How long the information will be kept
  • How they can complain to the ICO if necessary


Rights of the Data Subject under GDPR

When storing information on a person you must document how you will store the information, how it will be deleted and ensure that it covers all their rights:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability which only applies:
    • to personal data an individual has provided to a controller
    • where the processing is based on the individuals consent or for the performance
      of a contract
    • when processing is carried out by automation.
  • The right to object
  • The right not to be subjected to automated decision making or profiling


Subject Access Requests

  • This is known as the act to Rectification, Erasure, Restriction and Objection
  • When a Data Subject accesses the ‘Right to be Forgotten’, all traces of their Data should be removed from all systems.
  • Any individual is entitled to make a ‘Subject Access Request’ and this means they want to see the data held on them. Under the Data Protection Act you could charge a fee for this but this is no longer the case under GDPR. The request must be dealt with within 30 days.


Lawfulness of Processing

Processing will only be lawful if one of the following conditions are met:

  • Data subject gives consent for one or more specific purposes. Processing is necessary to meet contractual obligations entered into by the Data Subject
  • Processing is necessary to comply with legal obligations of the controller
  • Processing is necessary to protect the vital interest of the Data Subject
  • Processing is necessary for task in the public interest or exercise of
    authority vested in the controller
  • Purposes of the legitimate interests of the controller



You need to have consent from the individuals that you keep information on and make sure that it meets the GDPR requirements. For example it must be:

  • Given freely
  • Specific
  • Informed
  • Unambiguous
  • Up to date

Consent must be documented, and a record should be kept on what data they have agreed to share. The patient can tick a box or sign a form to acknowledge they understand why you want/need to process their data – this is known as Explicit Consent.

Please also keep in mind that consent can be withdrawn at any time.


Consent from Young Persons

If you are keeping information on children, then you need to be able to verify their ages and how you have obtained parental/guardian consent for data processing.

The GDPR has set the age when a child can give their own consent to 16.

There will be special protection for young persons data on social media.


Protecting Data

All personal data must be protected.

You should consider who has access to the data and is it necessary for them to have access?

Is everything stored securely in lockable filing cabinets?

Are computers all password protected?

These are just a few examples of things you may want to consider.

You should document how you will detect, report, and investigate any breaches.


Data Breaches

The GDPR introduces a duty on all organisation to report certain types of data breaches to the ICO and sometimes to the individuals themselves.

If there is a data breach you have 72 hours to report it to the ICO.

Failure to report a breach could result in a fine of 4% of your organisations Global Annual Turnover


Data protection by Design and Data Protection Impact Assessment

Mandatory in certain circumstances

For example:

  • When new technology is being used
  • Where profiling could significantly affect individuals
  • Where the processing is on a large scale



All your patients (past and present) should be asked to give their explicit consent to receive marketing emails from the organisation.

You must keep a record of consent and be sure to advise people how to opt out or alter their contact preferences.

Always ensure the details up to date and only the people that have given consent are on the mailing list.

Don’t forget that even if you are a small practice/organisation these changes apply to everyone.

Please scroll through and read all instructions.


1. What does GDPR stand for?
2. What personal information does GDPR relate to?
3. What is GDPR a direct replacement of?
4. What does PII stand for?
5. When does GDPR take effect?
6. As an individual, what rights do you have? The right to...
7. What is the definition of a Data Controller?
8. What is the definition of a Data Processor?
9. What is the time frame in which to report a data breach to the ICO?
10. What does ICO stand for?
11. What is the maximum fine a business can get from the ICO?
12. Below what age should parental or guardian permission be requested?
13. What is the time period you must respond to subject matter requests?
14. The Data Subject is the individual?
15. GDPR is only applicable to practices that employ over 5 members of staff

Overall, I feel the course was: (required)

Did the course meet your expectations? (required)

If not at all, please elaborate?

Please rate the quality of the course content: (required)

Please rate the quality of the course information: (required)

If you have answered poor or satisfactory to the previous questions, please tell us why. Or if you have any comments to make regarding the previous questions.

The feedback process with Cavity Dental Staff is: (required)

Please let us know if there are any areas in which you think we could improve?

Out of 5 stars, how would you rate the entire course? (required)

Well done for completing the verifiable CPD! Your certificate will automatically be emailed to you upon successful completion. Please take care when entering your details to ensure the certificate delivers and includes the correct information.

We will notify you of our next free verifiable CPD session.

"Always able to help us at short notice. Very nice and professional nurses."

Shelley, Nelson Road Dental

dental dbs check

Do you need a DBS check?

If you need a dental DBS check (previously known as a CRB check) then Cavity can help you! One of our Cavity representatives can visit your practice at a suitable time to complete all the relevant paperwork.

The CQC state that all clinical staff working within a dental practice will need to obtain an enhanced Disclosure Barring Service (DBS) check. Cavity are now a DBS umbrella company and are able to carry out DBS checks for individuals, groups and practices.

One of Cavitys’ Managers will visit your practice at a time convenient to you, to finalise the relevant documents. Once this has been done, the completed form will be sent off and you will then receive your DBS certificate directly to you in the post. We can carry out a DBS for the whole of your clinical team or individual staff members.

Read more…

Cavity Dental Staff uses cookies to ensure that we give you the best experience on our website. If you continue we assume that you consent to receive all cookies on this website.