A Data Protection Officer (DPO) is a requirement under the General Data Protection Regulations (GDPR) for any public authority. Dental practices which treat NHS patients are defined as public authorities and therefore must appoint a DPO. This can be an existing employee, providing that their other duties are compatible with the duties of the DPO and do not lead to a conflict of interest i.e. the DPO should not be the person with overall responsibility for the processing of personal data. It is likely that an internal DPO will require training to enable them to undertake their data protection duties. Alternatively, you can choose to outsource this function to an external provider or you could work in combination with other local practices.
Appoint a Data Protection Officer; this may be an existing employee or an external provider of this service.
If your Data Protection Officer is an existing employee, such as a practice manager, ensure that:
- They receive appropriate training;
- They are able to carry out their duties in an independent manner;
- There is no conflict of interest with their other duties in the practice.
Disclaimer
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website [1] and via the EU GDPR learning resource [2]. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.