EthicalThe General Data Protection Regulations (GDPR) impose restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. There are also requirements to document the lead data protection supervisory authority if an organisation operates in more than one EU member state. This is unlikely to be relevant to UK dental practices, most of which operate only within the UK, but there may be implications if your IT provider send or stores your data outside of the EU or if you use dental laboratories or suppliers in non-EU countries.

* Note: Following Brexit, European Union GDPR regulations no longer apply to the UK. GDPR has been incorporated into UK data protection law as the UK GDPR. The Data Protection Act 2018 is the UK implementation of the UK GDPR.  The ICO has a five part guide on data protection, including UK GDPR responsibilities

Confirm that the providers of your IT services do not send or store your data outside the EU.

  • If personally identifiable information is stored outside of the UK, additional measures will be necessary to ensure GDPR compliance. Your indemnity provider may be able to provide advice.

Contact your indemnity provider for advice if you share personally identifiable information with dental laboratories or suppliers in non-EU countries.


This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.