GDPR: To DPO or not to DPO – a guest post

I’m frequently contacted by people who have products and services of relevance to my clients. For over 20+ years I have maintained a policy that I do not accept introducers fees or commissions – I simply broadcast and comment on good ideas.


Mubbasher Khanzada

10thMay 2018

According to the Information Commissioner’s Office (ICO), for the ongoing compliance with GDPR, it is a mandatory requirement* for the dental practices, whether NHS or private, to appoint an independent Data Protection Officer (DPO) in addition to meeting with GDPR requirements.

A lot of dentists may think that they don’t need the Data Protection Officer (DPO) function for their practice, or that the principal dentist or practice manager can add the word DPO in their title and the regulatory responsibility is fulfilled. There are a number of consideration to keep in mind.

First, the DPO has to be independent and must not have conflict of interest.

Second, dentists want to do dentistry and generate income for the practice, rather than spending time on learning Data Protection Regulation, legalese and details of IT & encryption technologies. Practice staff is already stretched, so they may not be able to accommodate a new but crucial responsibility effectively.

Third, the legislation with its recitals is over 150 pages long, the implementation requires a lot of knowledge about information systems, data storage, privacy regulations, roles and responsibilities, legal requirements and understanding of the technologies and methodologies.

Additionally, in some cases the principals and owners may not be willing to grant access to internal team members to have full access to their computers which may contain their confidential information.

The DPO Function has quite a few requirements, this role includes, for example, the following (non-exhaustive) list:

Risk Assessment:

  • Data protection impact assessment (DPIA) (i.e. gap analysis and risk assessment)
  • Data inventory and data flow analysis
  • Supplier / vendor analysis
  • Findings and remediation

Frameworks, Policies and Advice:

  • Design of data privacy framework and documentation of policies and procedures
  • Advice on privacy rights management (information, access, rectification, objection, erasure and data portability)
  • Data protection awareness and training
  • Point of contact for all data protection matters

Administrative and ongoing work:

  • Provide guidance on data breach monitoring, management and reporting
  • Data subject access rights management
  • Consent/ opt-in management
  • Risk Register
  • Personal data processing register
  • Supplier/vendor register

Since compliance is an ongoing matter there are tools that can help with automating and streamlining processes associated data protection.

A practice could designate an internal team member, dedicated to providing the DPO function, however, for practices wanting to avoid the hassle, it is also possible to outsource the DPO role to external service provider companies.

Welltime (in collaboration with Data Decorum) is providing the external DPO service especially designed for Dental Practices. Created by a team of certified Risk Management and Data Privacy professionals with certifications in CISA, CRISC who are subject matter experts in data protection, privacy, IT audit/risk management and information security.
We are able to provide an end-to-end solution for GDPR compliance in the dental industry, benefitting from over 10 years of automation and integrations experience. We take the practice through a managed, structured 6 weeks compliance journey where we systematically guide, assist and enable dental practices to achieve GDPR compliance in a cost effective manner. And with our tools and automation, we can help the practices to remain compliant.



If you have any questions, please feel free to get in touch.

Mubbasher Khanzada


Published by

Chris Barrow

Chris Barrow has been active as a consultant, trainer and coach to the UK dental profession for over 20 years. As a writer, his blog enjoys a strong following and he is a regular contributor to the dental press. Naturally direct, assertive and determined, he has the ability to reach conclusions quickly, as well as the sharp reflexes and lightness of touch to innovate, change tack and push boundaries. In 2014 he appeared as a “castaway” in the first season of the popular reality TV show “The Island with Bear Grylls”. His main professional focus is as Coach Barrow, providing coaching and mentorship to independent dentistry.

One thought on “GDPR: To DPO or not to DPO – a guest post”

Comments are closed.