top of page
a blog by Chris Barrow

GDPR and small business – why not just ignore it? – a conversation at The Dentistry Show

Mubbasher Khanzada

22 May 2018

At the The Dentistry Show and BDA event last week, I had a fascinating conversation with dental business coach Chris Barrow on the topic of regulations pertaining to the dental industry. He pointed out that the UK dental industry has been hit with many regulations over the years, they had the compliance requirements for the Data Protection Act (DPA), the Care Quality Commission (CQC), the HTM 01/05, the Friends and Family Test (FFT), the GDC rules etc. to name a few. Dentists are weary and skeptical about the new rules, CB is hearing 3 questions echoing from the dental community about the GDPR:

  1. Do Dentists need GDPR at all? And why?

  2. Is it worth it? What is the risk of not doing it? If we don’t do it, how would the authorities find out?

  3. What’s the penalty? Rather than having the hassle of compliance, why can’t we just bear the fines if and when they come (cross the bridge when we get to it)?

Let’s have a look at these questions in turn:

  1. Why do Dentists need GDPR?

There are two main considerations with regards to this:

  1. It is a legal requirement:

Different authorities regulate different industries to ensure that there are standards key stakeholders adhere to; like food and drink industry, HR and employment agencies, Finance and banking industry etc.

The GDPR initially originated in the EU, but it has been fully and wholly adopted by the UK authorities that deal with privacy and data protection, so the GDPR is going to remain with us. And from 25thMay 2018, it is the law. Just like car insurance is a legal requirement in the UK – people shouldn’t go around driving if the car isn’t insured – organisations must comply with the applicable law and protect the privacy and confidentiality of individuals they deal with. However, it is important to note that GDPR is not industry specific, any business controlling and or processing personal data must comply with it.

  1. The rationale:

The rationale for GDPR is actually quite simple: Because People have rights about their data, businesses need to respect those rights.

A lot of things have been standardised (e.g. COBIT 5 and other standards about management of IT) but there wasn’t anything like this which standardised Personal Data protection itself across industries and different territories. The GDPR fulfils that need. It provides harmonised standards across the European Union (EU) to protect the rights of individuals in the EU regarding how their Personal Data is being used. It is applicable across the industries and across territories. It is not only just for the dentists, it is for anyone and anywhere in the world where transactions are taking place and they are dealing with Personal Data relating to people in the UK or the EU. And as has been evident from the recent Cambridge Analytica / Facebook fiasco, there is a worry in people about their privacy and confidentiality whenever their Personal Data is being managed anywhere in the EU or the World. Organisations would have to follow the rules dictating how they must deal with the Personal Data.

How much rights should people have about their own Personal Data? That’s a political debate, there are forums to raise and discuss these issues, (some did raise it, like the BDA tried to raise it in the parliament – but the parliament rejected their appeal for exemption for appointment of a Data Protection Officer (DPO) for primary care providers from GDPR). Different organisations can keep on raising and debating these issues, so that one day their view is heard and perhaps incorporated, but until they get the law over turned or have exemptions written in it, the law simply has to be followed.

  1. Is it worth it? What is the risk of not doing it? If we don’t do it, how would the authorities find out?

If a person takes narcotic drugs in his home, or God forbid, is abusing a child, committing a crime within the confines of their home, how would anyone know?

But if the authorities find out for whatever reason and through whichever means, then that person will be prosecuted and where proven guilty will be punished.

In the context of GDPR compliance of dental practices; it may only take a few disgruntled patients (either genuine or nuisance factor) to launch complaints with the GDC / ICO to initiate an enquiry. Can a dental practice be absolutely sure that none of its patients (or current / ex staff members) would ever complain to the ICO because their access rights request was not fulfilled within 30 days?

It is also possible that an opportunistic cottage industry may spring up with the GDPR-violation-chasing-lawyers to turn a quick buck. Even when nothing is proven against a practice, there is still a lot of hassle and wastage of time in organising a defence especially in absence of well-structured GDPR compliance framework and regimen. It would rather make sense to be well prepared with the documented, policies, procedures, demonstrable and repeatable practices to reduce the dental practice risk exposure.

Like any other regulation or law, it takes time for authorities to enforce it and eventually enable a cultural shift. Examples of recent past can be seen in financial services where fines imposed on few organisations enabled wider compliance. In other cases, in the same industry some continue to pay the price such as PPI claims.

  1. What is the penalty? Is the hassle worth it?

Generally, the rules and regulations in a society are made for the protection of its members. They are there to have justice and fairness, to govern and manage different people’s rights.

If there were no penalties, still GDPR is a good law to follow, as it helps and protects peoples’ privacy and confidentiality. That in turn creates trust and credibility which is good for business. Most of these requirements are currently being followed and used in the dental surgeries in different forms as good practice and as part of the compliance with Data Protection Act (DPA) which the GDPR replaces.

However, deterrence makes sure people and organisations follow the laws (and it is justice that differentiates between people following compliance and people violating and breaking the law).

Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines.

The first tier is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher.

The second tier is up to €20 million or 4% of annual turnover of the previous year, whichever is higher.

Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine.

GDPR only provides the upper limit up to which the ICO can go when penalising an organisation, and from these numbers, it is evident that they had big fish like Facebook, Google, Amazon, the banks and other global companies in mind, it is worth noting that there isn’t any restriction or lower limit specified, nor a separate indication for smaller companies or SMEs, so while an organisation’s behaviour, data protection policies and culture will be taken into account; technically the ICO could slap a high fine up to these limits on any organisation.

Now the ICO is likely to take very reasonable approach and have the fines in accordance with the breach intensity and variation of circumstance, the authorities under the law can bankrupt the culprit if they wanted to (for instance to make an example and drive the message home to all others).

Some people are saying that the ICO isn’t ready for the GDPR and it would take them quite some time to get to the stage to be able to cope with the aftermath of GDPR. When asked this question, Nigel Houlden, the Head of Technology Policy at the ICO said on BBC Click programme on 20thMay 2018 that the ICO is ready to deal with the violators, they have had 2 years to prepare for the GDPR.

In conclusion, while there will be some dental practices that end up not taking GDPR seriously and not complying with it, just like some drivers choose to drive without the mandatory car insurance or driving while talking on the phone – they do so at their peril. The authorities can impose fines on the violators and severely impede the operations, growth potential, reputational risk, or even bankrupt the businesses – so let’s not take the risk, let’s remain on the right side of the law, and let’s value people’s right to their Personal Data.

If you have any questions please feel free to contact us.

Mubbasher Khanzada

Data Decorum


7 views0 comments

Recent Posts

See All


bottom of page