10 steps to a GDPR-confident dental practice (Ireland)
This checklist summarises what Irish dental practices are routinely advised to have in place under GDPR — not legal advice. Use it to spot gaps before the next patient access request or DPC enquiry. Official guidance lives with the Data Protection Commission (DPC) and your professional advisers.
1. Name someone responsible
Every practice should know who handles data protection questions — often the owner-dentist or practice manager. You do not always need a formal DPO appointment, but you do need clear accountability and a contact point for staff and patients.
2. Know what you hold
List the main categories of personal data you process: patient charts, imaging, correspondence, payroll, CCTV if applicable, and marketing lists. Note where each lives (practice software, email, paper, backups). An Article 30 record of processing activities is the structured version of this audit; even a simple spreadsheet is better than nothing.
3. Publish clear privacy notices
Patients should understand what you collect, why, how long you keep it, and their rights — including access and complaint routes to the DPC. Notices should be easy to find at reception and on your website, and updated when processing changes.
4. Write a subject access policy
Document how requests arrive, who verifies identity, where you search, how you redact third-party data, and who approves the final pack. Staff should not improvise when a solicitor’s letter lands. See how to respond to a DSAR for the operational steps.
5. Set retention rules
Keep clinical and admin records only as long as needed for care, legal, and regulatory purposes — then delete or anonymise securely. Retention should match professional guidance and be written down, not “we keep everything forever just in case.”
6. Plan for the one-month access deadline
Under GDPR Article 12, you normally have one month to respond to a right-of-access request (Article 15). Extensions are possible in limited cases. Build a calendar trigger the day a valid request is logged — not the day someone remembers to start searching charts.
7. Know the 72-hour breach rule
If personal data is lost, disclosed, or accessed without authority and the breach is likely to pose a risk to individuals, you may need to notify the DPC without undue delay and, where feasible, within 72 hours of becoming aware (Article 33). Keep a simple breach log and know who decides whether notification is required.
8. Train staff
Reception, clinicians, and locums should recognise a subject access request, know not to delete relevant records, and escalate promptly. Short, recorded briefings beat a policy binder nobody opens.
9. Protect records day to day
Role-based access in practice software, encrypted backups, clean-desk habits, and careful use of email for clinical attachments reduce the chance of both breaches and over-disclosure on access requests. See our security page for how Ghost handles data when you use it for redaction and case management.
10. Log what you send
When you respond to a patient, keep a record of the date, what was included, what was redacted or withheld (with reasons), and how it was delivered. If the DPC, a patient, or your insurer asks later, you should not rely on memory. Ghost’s privacy request manager and audit log are designed for this step — see Ghost for Irish dental practices.
Get started
Want a calm subject access flow instead of a scramble? Start with the free redaction tool, or run your next request end-to-end on a free trial.