By: Gregor McPherson

The GDC, GDPR and Dental Chatbots

Hello 👋 For the last year I have been working on developing a Digital Receptionist based on a Chatbot platform 🤖. This product is unique to the Dental Sector, because it has been set up and is constantly being updated by Dentists.

To ensure compliance with our products, I have been in communication with the Information Commissioner’s Office (ICO) and discussed the issue with two separate GDPR Compliance Officers. During these discussions, it became apparent that some of the Chatbots being used by Dental Practices do not comply with GDPR. Therefore, it is my understanding that every time a patient makes an enquiry with one of these Chatbots via a Practices website, they are in fact unknowingly breaching GDC Standards specifically related to patient confidentiality: 4.2, 4.3 & possibly 4.5.

Why is it important your Dental Chatbot is GDPR compliant?

For the last 2 months, I have been covering Dental Emergencies for a Practice whose two Principles were both suspended for 18 months because their Practice Manager forgot and then covered up, not registering their Dental Practice with Health Improvement Scotland. So, unknowingly they were not registered and in the eyes of the GDC were operating illegally. Fortunately, their suspensions were eventually overturned, however, this just highlights how other people’s mistakes can affect Dentists. I do not know how severe a punishment the GDC would hand out for multiple issues in relation to breaches of patient confidentiality, however, I also wouldn’t want to find out.

So what do you have to do to make your Chatbot GDPR compliant?

To cut a long story short, all parties involved in Data Processing or Data Control must be disclosed to the users of your Chatbot. This means that if you are simply using your Practice Privacy Policy to ensure GDPR compliance, then this policy must state who the Data Processing and/or Data Controllers are and how they are using patient’s data. Usually, the Data Processor would be the company supplying the Chatbot software and the Data Controller would be the person managing the Chatbot and supplying you with analytic data from it.

If you are receiving any data from your Chatbot on things like conversion rates, or someone is viewing patient information to ensure the Bot is working correctly, then they would be considered a Data Controller and would need to be registered with the ICO Registration Document:

Our Digital Receptionists are set up to be fully GDPR compliant. Any patients using them are notified about who their data is being sent to and how that data is being used. We have also included a separate section that links to your Practice Privacy Policy. Our Digital Receptionists have been set up this way to make things as simple as possible for Dental Practices and this also means you don’t have to rewrite your Practice Privacy Policy to make sure your GDPR & GDC compliant.

I am not an expert on GDPR but I have studied the literature on this boring topic and sought advice from appropriate people. If you have any questions on this matter please send me an email and I will try to help to the best of my abilities


Posted in Digital Receptionist

a drawn graphic of a dental chat bot used in the Talk To A Dentist site

Dental Chatbot

Digital Receptionist available 24/7 to help patients and generate new leads

a front view drawn graphic of a man typing something on a laptop

Review Generator

Receive, screen and generate more 5 star reviews, on autopilot

two drawn puzzle piece graphics with a microchip that means to integrate


Connect with your existing website to automate your workflows

Create a better experience

Streamline patient support, automate patient testimonials and convert more website visitors into registered patients.