Individual Rights


The General Data Protection Regulations (GDPR) include the following rights for individuals, most of which are similar to those included in the Data Protection Act 1998:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision making, including profiling

Where individuals ask to view the information that you hold, you must provide this free of charge and in an electronic and commonly used format. As individuals have the right to ask you to rectify or erase their data, you must ensure that the data you hold is easy to retrieve and delete if required. However, you are not required to delete dental records or essential employee information as you are obliged to retain these to meet legal and professional obligations; you may need to justify to a patient or a former employee your reasons for not deleting some of their data. You should also ensure that the processes you have in place for data processing are consistent with GDPR and you may need to put new processes in place. For example, the right to data portability, which is a new right under GDPR, allows a patient to ask for their dental records to be sent to another dental practice. You should document the process for doing this and ensure that it is done in a confidential and secure manner.

Ensure that all personal information that you hold is easy to retrieve and delete, if required.

Ensure that the processes you have in place for data processing are consistent with an individual’s rights under GDPR (e.g. the process to correct or delete personal data, the process to provide data electronically and in a commonly-used format following a request for access).

  • Be aware that you may need to put new processes in place to cover rights which have been introduced under GDPR (e.g. the right to data portability).

This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.