Make your patient testimonial marketing GDPR compliant with a model release contract
Make your patient testimonial marketing GDPR compliant with a model release contract
Make sure you have all the right consents in place.

By Luc Wade, Management Consultant at Hive Business

It’s been a year since the dreaded GDPR deadline. Scaremongering meant that many businesses unnecessarily deleted databases that had taken years of engagement to clean and verify, and the official compliance guidelines were vague (and soporific) enough to increase the demand for support in this area.

Often the first thing clients ask us when they’re planning a new marketing activity is “is it GDPR compliant?” Confusion persists around what’s allowed with content like patient testimonial videos and social media adverts, so we spoke to Amanda Williams for more clarity. Amanda is a marketer and privacy professional. She has the CIPP/E qualification in pan-European data protection law and works with CloudLegal Support, a legal consultancy which advises businesses in this area.

How can dentists ensure they’re not restricting their marketing unnecessarily?

Before you think about marketing to patients or prospective patients, it’s a good idea to do an audit on all the types of personal data you process. This might involve questions such as: how did I obtain the personal data? Why am I processing the personal data? Have I identified a legal basis and who am I sharing this data with?

Once you have identified that you have a lawful reason to process this personal data, you can start to work out if you can send marketing to them and how you are going to go about it. If you are marketing to prospective patients, you will need their consent and this needs to be at GDPR standard. This means that it needs to be: freely given, specific, informed and unambiguous.

If you are marketing to existing patients (or those who have ‘entered into negotiations’, for instance they have asked for a quote for your services), you are able to opt them in to your marketing without their consent. This is governed by the Privacy and Electronic Communications Regulations (PECR), however you do need to also ensure the following:

  1. That personal data was obtained during the course of ‘sales’ (or negotiations for a ‘sale’)
  2. Give your patient an opportunity to opt out at the point of ‘purchase’
  3. Provide ‘opt outs’ on subsequent marketing communications
  4. Only market similar goods and services

The correct legal basis here is ‘legitimate interest’ and it’s good practice to have done a ‘Legitimate Interest Assessment’, which is a document you keep on file to show that you’ve thought about the impact of your marketing on your patients and shown that it’s relevant, proportional and doesn’t override their right to privacy.

Legitimate interest is good news for dentists — far too many organisations were badly advised last year and as a consequence, deleted personal data from their marketing lists when they didn’t need to. Don’t forget that traditional forms of marketing are still very effective, such as posters, direct mail and print advertising. Social media advertising can also be a good source of lead generation.

How can dentists make their patient video testimonials and before and after photos compliant?

Pictures and videos are considered to be personal data and in order to share these for marketing purposes, you need to identify a legal basis on which to do so.

A signed ‘permission slip’ on which your patient is told exactly what will happen to their pictures may not be appropriate, because it is easy for a patient to withdraw their consent. This means that if you have published pictures online or offline using consent, which is then withdrawn, you are no longer able to use the pictures.

A better solution may be to use a ‘model release form’ which means that the legal basis would be ‘contract’, which is more robust. As part of the process, you should explain very clearly what you intend to use the photos and videos for. If you are going to use pictures and videos in your marketing strategy it would be a good idea to include this in your marketing Data Protection Impact Assessment (DPIA).

How can dentists keep their social media advertising compliant?

There are a number of things to consider when using social media and staying within the law and also the terms of the various platforms. For example, if you are using ‘influencers’ to market your products or services, remember the Advertising Standards Authority (ASA) guidelines on transparency in marketing. A number of celebrities recently fell foul of the law by promoting products without telling their followers that they had been paid to do so.

If you are running a Facebook competition, make sure you are aware of Facebook’s own rules. For example, you are not allowed to ask people to ‘share on their profile’ in order to enter competitions. Many organisations do this, but it puts you at risk of Facebook banning your page.

Be very careful if you import personal data into Facebook to create a custom audience. Make sure you have all the right consents in place to do so — these should have been obtained when patients signed up to your marketing list. The Data Protection Authority in Germany has just ruled that custom audiences are illegal without explicit consent.

In GDPR terminology, you are considered to be a ‘joint controller’ with Facebook when you have a Facebook page for your organisation. It is good practice to post a link to your privacy notice in the ‘about’ section of your page. While you’re there, it’s worth writing a few words about acceptable behaviour on your page too — and then monitoring the page for unacceptable posts. When you collect consent via a lead generation advertisement remember to hyperlink to your privacy notice so that the consent is informed.

Be sure to reflect all of your marketing activities in your Privacy Notice so you are being tran

sparent, honest and in compliance with the law.

It’s been a year since the deadline — from your perspective, how has GDPR impacted dental businesses?

Some dental practices will have had to appoint a mandatory data protection officer and others have chosen to appoint data protection managers or compliance leads. Whichever it is, it’s important to have someone in the organisation who can oversee compliance issues and make sure that everyone’s training is up to date.

The GDPR ushers in a new era in data protection and as the Information Commissioner, Elizabeth Denham, recently reminded us, accountability isn’t optional, it’s a legal requirement which offers organisations an opportunity to go beyond a box ticking culture of compliance.

What should practice owners who are concerned that they’re not compliant do?

Ask yourself three questions:

  1. Have I audited the personal data that my organisation processes? Before you write your privacy notice, it’s important to know what you are going to put in it. Ask yourself: What personal data am I processing (customers, staff, suppliers etc)? Do I have a legal basis for this personal data? Have I identified how long I’m allowed to keep this personal data for? Which third parties am I sharing personal data with, and am I allowed to do this?
  2. Have I trained my staff? The Information Commissioner’s Office (ICO) will ask to see your staff training record because many data protection breaches occur due to poor or absent training. For most staff, a regular overview and reminder of data protection issues relating to their job roles is sufficient — this, along with great policies and processes, means you’ll have evidence that you are taking accountability seriously.
  3. Do I know when I need to do a Data Protection Impact Assessment? A DPIA used to be optional. Since the GDPR became enforceable, it is now a legal requirement and a great way of showing that you take accountability seriously. It might be that, in the event of an investigation, the ICO will want to see evidence of your DPIAs or evidence to show that you didn’t need one. There’s lots of information on the ICO website about how and when to do a DPIA and the list is quite long, so it’s worth checking out. If you’re planning a new website, CCTV in your premises or you’re processing special category data, you’ll definitely need to show that you’ve paid close attention to how your business ‘process’ will take into account ‘the rights and freedoms of data subjects’ (that’s GDPR speak for looking after your patients’ personal data).

If you would like to discuss your marketing requirements with us please get in touch with Hive. For more information on GDPR and access to a selection of free downloads from CloudLegal Support please contact Amanda Williams at

The information contained in this article is based on the opinion of Hive Business and does not constitute formal tax advice. Any tax outcomes will be based on individual circumstances, tax legislation and regulation, which are subject to change in the future. You should seek specific advice before embarking on any course of action. Hive Business does not provide regulated Financial Advice, including advice on investment, insurance or lending products or their suitability for you. This article is provided for information only and does not constitute, and should not be interpreted as, investment advice or a recommendation to buy, sell or otherwise transact, or not transact, in any investment including Bitcoin and other crypto. Any use you wish to make of any information contained within this article is, therefore, entirely at your own risk.

By Luc Wade Marketing Director
If you have any questions or comments about this article, please get in touch.
Call Now Button