15 March 2022

Ultimate Guide to GDPR for Dental Practices

Ultimate Guide to GDPR for Dental Practices

Since its inception, the General Data Protection Regulation (GDPR) has regularly been in the news and on the minds of dental practice owners affected by it. Understanding how this important piece of data privacy legislation impacts your busy office and how to remain compliant is crucial. This is especially true in the realm of digital marketing.

To help ensure your company is up to date and using GDPR best practices, Adit has put together this comprehensive guide. We cover what this requires and provide actionable tips to help you remain compliant.

What is GDPR?

What is GDPR

The GDPR is a cybersecurity law that seeks to safeguard the sensitive data of those who reside in the European Union. These strict privacy rules when into effect in 2018 and updated the 1950 European Convention on Human Rights, so it was effective in our ever-changing digital era.

This was a necessary update to ensure that the boundaries between one's personal and public information were better recognized and respected. It achieves a heightened level of data security by regulating the collection, use, disclosure, and other processing of individuals' personally identifying information in the EU by those who control and/or handle their data.

What Types of Data Fall Under the GDPR?

What Types of Data Fall Under the GDPR

Under GDPR privacy rules, it governs any data relating to an individual living in the EU that can directly or indirectly identify them. This about more than just addresses or banking information but also includes information about one's behavior patterns. It doesn't matter what form this data is presented either, and can have:

  • Video
  • Images
  • Words
  • Audio
  • Numerals

Even if these details are not factually accurate because they are linked to someone's identity, they all received GDPR protections.

How GDPR Affects Dental Practices

How GDPR Affects Dental Practices

To understand how GDPR can impact your dental office, let's break down how data gets used. Generally, personal data falls under two primary categories of use: those who process data and those who control it.

Data Controllers

Under the GDPR, controllers determine the processing and purpose of personal data. A single individual could fill this role in your office or corporate controller designated by your company.

Data Processors

The role of a data processor is defined as a single person, agency, public organization, or other entity that processes private information for the controller. Processors don't decide how your patients' personal data gets handled but follow the guidance they receive.

Example of a Data Controller and Data Processor Relationship

Typically, your dental office would be considered the controller because you will determine how you want your patients' sensitive data handled. On the other hand, companies like Adit would be viewed as a processor since we would use this information according to your instructions when creating email campaigns, for example.

It's important to note that processors would still have to be compliant with GDPR when handling private data belonging to your patients protected under this law despite your instructions. For example, if your practice provides whitening kits, specialty toothbrushes, or teledentistry in an online marketplace, and you offer these globally, your dental practice and processors must comply.

How GDPR Affects Dental Practice Marketing Strategies

How GDPR Affects Dental Practice Marketing Strategies

At Adit, one of our strongest service areas for dental practices in the United States and globally is digital marketing. Because successful marketing strategies require collection and analysis of data to yield the best results, it's vital to be aware of what aspects of your advertising are impacted by GDPR, including:

  • Website cookies for tracking
  • Lead information generated by online ads
  • Website contact forms
  • Email addresses for ad campaigns monthly newsletters. and other lead magnets

Below is a quick overview of each of these marketing aspects and how GDPR may affect them:


When visitors come to your dental practice website, cookies are used to track their preferences and interactions to help you better target your ads to their behavior. GDPR requires you to keep an updated Cookie Policy available on your site and get consent from visitors before storing and accessing any of this information.

Online Ad Generated Leads

When patients and prospects click through your Google Ads to your landing page and then fill out your provided contact form, they consent to communication with your company about the service or offer requested. For example, a free teeth whitening kit for subscribing their email address to your monthly oral health newsletter.

Typically, you would include an option they can opt-in or out of with a simple mouse click in a selection box for receiving additional communications from you regarding services and products. With the right dental practice management system, like that provided by Adit, a record of their consent is recorded and then made available if they should ever request this information.

Website Contact Forms

Encryption of your website is another crucial step in ensuring compliance with GDPR. This is especially important when potential patients communicate with you through online forms like those on a Contact Us page.

One of the easiest ways to achieve property security against hackers trying to steal information from these transmissions is by having an SSL certification on your website. These are relatively inexpensive nowadays and will reassure your visitors that they can securely submit information through your website.

Storing Patient Email Information

If you plan to send emails to your patients for appointment reminders, account billing, or any marketing campaigns, you must have consent from them before sending. Doing so will ensure your communications don't fall under CAN-SPAM laws that designate your dental practice email address as spam. Anything you send out will get filtered into patients' junk folders if this happens.

Further, it shields you from violating the GDPR law regarding spamming. One of the most straightforward methods of gaining consent to send emails to your patients involves using an opt-in clause in their medical file. You should use clear language that explains precisely what they are consenting to receive. Many dental practices use two different opt-ins, where one covers general patient communications regarding things like reminders, and the other opt-in covers marketing and promotional emails.

No matter what marketing uses you have planned for your patients' private data, GDPR and other similar laws like HIPAA require you to protect it.

10 Steps to GDPR Compliance for Dental Practices

10 Steps to GDPR Compliance for Dental Practices

Not sure if your dental practice meets the standards for data privacy protections set forth by the GDPR? Consider the following ten steps to reform your current processes and develop best practices:

Assess the Types of Data You Collect

One of the biggest challenges is understanding the data you collect from your patients and prospects. Get started by first determining the sources providing your dental office this information, which could include:

  • Landing pages
  • Online contact forms
  • PPC campaigns
  • Cookies
  • Patient management software
  • Electronic Health Records
  • Lead magnets
  • Email campaigns
  • Newsletters
  • Social media

As you can see, there are many channels for personally-identifying information to be shared with your office, and the GDPR demands it be protected. This is why identifying sensitive data and the sources that generate it is crucial to compliance. Even IP addresses could fall under this umbrella of security requirements if linked to an individual. So, if your ad campaign not only collects their email address but tracks their IP, this too would require protection.

You Need a Data Protection Officer (DPO)

The GDPR requires controllers and processors to have a Data Protection Officer (DPO) to oversee a dental practice's data protection strategy if any of the following conditions apply:

  • A public authority is processing the data
  • Data is systematically monitored
  • Large amounts of data get collected and processed

What constitutes a large amount of data is unclear in the GDPR, so many dental organizations opt to have a DPO out of caution. Appoint someone in this role that can perform the following required duties:

  • Ensure GDPR compliance by monitoring data processing
  • Advice controllers and processors of compliance best practices
  • Advise you on impact assessments regarding your data protection
  • Be the primary contact for data processing inquiries
  • Serve as the direct contact for the company when speaking with GDPR regulators
  • Understands the many risks related to processing data
  • Has demonstrated experience and training regarding GDPR law and best practices

To ensure your DPOs efforts are successful, your dental organization should also conduct regular monitoring to identify any vulnerabilities that could jeopardize the security of the data you collect.

Create a Data Register

Another important compliance best practice for GDPR is maintaining a data register that keeps a record of how your dental office handles the private data it uses. This is an extremely helpful diary that maps out your data flow in your company. Keeping detailed notes and records will prove your compliance should an audit or data breach happen. It can also help your team develop improved data security and show your dental office is dedicated to protecting patient data.

Assess Your Data Collection Requirements

One vital step to consider in developing a secure data collection process is to assess what information is necessary. The GDPR expects dental practices only to collect required information and not accumulate this data without reasonable cause.

Further, any data you collect which is considered highly sensitive under this law must be carefully reviewed. Privacy Impact Assessments and Data Protection Impact Assessments are mandatory for some types of personal information, which could include:

  • Addresses
  • Behavior patterns
  • Data associated with minors
  • Information gathered by new technology your office is using
  • Data that is part of an automated process
  • Identifying details gathered from public areas you monitor (parking lot, waiting room, etc.)
  • Personal data involving:
    • Religious preferences/views
    • Ethnicity
    • Political/philosophical opinions
    • Membership data
    • Genetic and/or biometric data
    • Health records
    • Sexual orientation/Gender identity

Don't Delay in Reporting Data Breaches

Under GDPR, if your dental office experiences a data breach, you must immediately report it within 72 hours. This requirement is for both controllers and processors. To ensure that reporting occurs correctly, follow the below chain of command:

Processors should report incidents to their controllers. From there, controllers will report it to a supervising agency (Data Protection Association) which acts as a contact point with the GDPR authority.

Be Upfront About What Data You Collect and Why

In a digital age where personal data has become an invaluable commodity, your patients count on you to be transparent. Transparent about the information you collect and the reasons for doing so. GDPR prohibits the clandestine collection of their data, so to avoid financial penalties, make sure you have a clearly displayed acknowledgment wherever their information is stored.

Check out these common locations dental companies can display such notifications:


Cookies are considered data collectors by the GDPR because they can identify users. To ensure your gathering of this information is done in an informed way, make sure to do the following:

  • Request consent from site visitors before cookies begin collecting their private data
  • Be clear about how your company uses cookie data
  • Ensure that a log is kept that shows a user consent
  • Visitors should still be able to access your website even if they decline to allow the use of cookies
  • Make it easy for users to withdraw their consent at anytime

Site Forms

Another area that should display notification of data collection is pages with submissions forms. For example, suppose you have a landing page offering free whitening strips in exchange for a visitor's contact information or a newsletter sign-up promotion asking for their email address. In that case, you should first be clear on what data is collected and how you will use it. Keep language straightforward and simple to understand.

Age Verification

Under the GDPR, only individuals at least 16 years old or older can have their personal data processed. If your dental office needs to gather personally-identifying information of minors under this threshold, you must obtain consent from their parent or legal guardian.

Additionally, if your site may engage those under 16, it must have an age verification process before collecting their data.

Consider Using a Double-Opt-In for Email Sign-Ups

A great way to eliminate any doubt that an individual consented to receiving email communications and promotions from your dental office is using a double opt-in sign-up process. This essentially requires the user to agree when initially submitting their information and then follow up with an email confirmation that they will complete. It is not mandatory in GDPR guidance, but it's a wise step for compliance.

Regularly Update Your Privacy Policy

Privacy policies are not "one and done" elements of your website. GDPR for dental practices and any companies processing sensitive consumer data needs to always be up to date. These updates could be due to changes in the laws governing your company, a change in how you do business, and numerous other reasons. Whatever the reason, when making changes, makes sure your patients are notified through an email.

Any privacy policy you use should be clear on the type of data your business collects and how it gets used.

Regularly Check Your Data Collection Practices for Vulnerabilities

The GDPR and similar laws throughout the world expect organizations to be vigilant in their efforts to be aware of all data security risks that could endanger private consumer information. This also means having remediation strategies in place should a breach or hacking attempt be successful and exposing identifying details related to your dental patients.

At Adit, we understand that creating a secure data environment requires rigorous monitoring and testing. Having a world-class digital security team for smaller dental firms may seem a tall order. Still, by relying on a cloud-based practice management solution, we can help you achieve compliance.

Adit Understands the Importance of GDPR for Dental Practices Worldwide

Adit Understands the Importance of GDPR for Dental Practices Worldwide

You need state-of-the-art digital tools to help your dental company identify and address security vulnerabilities that could impact your compliance with GDPR requirements. Our dental practice management software will empower your team to gather invaluable insights from collected patient data while ensuring this sensitive information says secure and protected. No matter what sources you use, whether through a social media ad campaign or using a lead magnet to drive more traffic to your website, we will ensure your efforts are compliant and protect the data your patients entrust with you.

Find out more about how our cutting-edge digital tools can streamline your operations, build your brand, and boost revenue streams. Request a free demo today!

You May Also Like

Year-End Dental Practice Management Checklist for Success

As the year draws to a close, it's not just a time for festive celebrations but a pivotal moment for dental practices to assess, plan, and set the stage for a successful new year. Our Year-End Dental Practice Management...

11 January 2024 Angela Ledford

What's in a Name? Tips and Ideas for Naming Your Dental Office

Have you begun the process of starting up a new dental office and need to create a new name for it? This will be a monumentally important decision for your company that will have long-lasting impacts, so choosing the right...

14 February 2022 Angela Ledford

5 Reasons Why Online Reviews Are Important for Your Business

In today’s technology driven society, a company’s online presence is more important than ever. But how do you make your business stand out from the rest? Online reviews can have a big impact on whether a potential customer...

27 June 2017 Ali Jhaver

The Ultimate Dental Conference Checklist: Your Comprehensive Guide

Dental conferences stand as beacons of professional growth and innovation in the ever-evolving...

5 October 2023 Angela Ledford
Angela Ledford

Angela Ledford

Director of Marketing

Angela is a former English teacher turned marketing content specialist. Over the past 10 years, she’s developed marketing strategies to forge enduring bonds between B2B, B2C and SaaS companies and their clients through holistic education, effective communication, and captivating storytelling that moves audiences to act.


June 18 Amazon Demo Promo

Terms and Conditions

Last Updated: June 18, 2024

Offer ends June 21, 2024, and is limited to prospective customers who sign an annual agreement before June 30, 2023. The $300 Amazon gift card will be emailed to the company owner or established representative within 4 weeks of signing the annual agreement. Offer may not be combined with any other offers and is limited to one (1) gift card per office. Offer is not available to current customers or to prospective customers or individuals that have participated in a Adit demo during the prior six (6) months. Recipient is responsible for all taxes and fees associated with receipt and/or use of the gift card as well as reporting the receipt of the gift card as required under applicable federal and state laws. Adit is not responsible for and will not replace the gift card if it is lost or damaged, is not used within any applicable timeframe, or is misused by the recipient. Adit is not responsible for any injury or damage to persons or property which may be caused, directly or indirectly, in whole or in part, from the recipient’s participation in the promotion or receipt or use of the gift card. Recipient agrees to indemnify, defend and hold harmless Adit from and against any and all claims, expenses, and liabilities (including reasonable attorney’s fees) arising out of or relating to a recipient’s participation in the promotion and/or recipient’s acceptance, use or misuse of the gift card. This offer is sponsored by Adit Communications, Inc. and is in no way sponsored, endorsed or administered by, or associated with Amazon.


FREE $50 Gift Card

Schedule A Demo Before 00/00

Amazon Gift Card
Capterra Software Advice

Please Complete The Form Below


Why Adit?

Cut your software bill by up to 60% when you merge everything your dental office needs to run under one roof.

Centralize Communications

Centralize Communications

  • Phones & TeleMed
  • Emails & eFax
  • Texting & Reminders
  • Call Tracking and more!
Streamline Operations

Streamline Operations

  • Patient Forms
  • Online Scheduling
  • Payments
  • Reviews and more!
Boost Production

Boost Production

  • Performance Dashboards
  • Morning Huddle
  • Claims & Collections
  • Patient Profiles
  • Follow Up Lists
  • Year Over Year Metrics
Acquire More Patients

Acquire More Patients

  • Digital Marketing
  • Website Design
  • SEO
  • Google Ads
  • Facebook Ads

Please Complete The Form Below