AI Dental Notes and GDPR: Four Common Myths

Dentascribe • 5 minute read • July 13, 2025

Artificial intelligence is rapidly changing the landscape of dentistry, promising to save us time and streamline our workflows. AI-powered audio note-taking, in particular, is a game-changer. But with any new technology, it comes with comes with confusion and misinformation, especially surrounding GDPR.

When it comes to data protection, you can’t afford to get it wrong. The responsibility for your patients’ data ultimately rests with you and your practice. To help you navigate this new territory safely, we’re looking at four common myths about AI note-taking.

Myth 1: “You don’t need patient consent for AI audio notes if you’re not storing the audio.”

The Theory: Some platforms suggest that using AI to transcribe a conversation is no different from having a nurse in the room listening and typing notes. Because the audio file isn’t permanently stored, they argue, you don’t need explicit consent to record.

The Truth: This is a dangerous oversimplification. Unlike a nurse in the same room, an AI audio service involves transmitting large amounts of highly sensitive patient data across the internet to a third-party server for processing. This is a high-risk data processing event under GDPR.

This myth takes advantage of a grey area—AI software is new, and there isn’t a long history of legal case studies to point to. However, relying on a lack of precedent is a risky strategy. The Information Commissioner’s Office (ICO) puts a strong emphasis on transparency and lawful processing.

The Bottom Line: The safest, most ethical, and most legally robust approach is to obtain explicit consent from your patient before you hit record. A responsible platform should encourage this. That’s why at Dentascribe, we built a consent step directly into our AI recording so you’re reminded to ask for consent every time you start a recording.

Myth 2: “AI applications must have NHS DSPT or UK CyberEssentials certification.”

The Theory: To be used in a UK dental practice, any software handling patient data must have completed the NHS Data Protection and Security Toolkit (DSPT) and be UK CyberEssentials certified.

The Truth: While these certifications are signs that the platform is conscious about data protection, they are not a legal requirements for all software used by dental practices in the UK.

What is legally required is that any company processing UK patient data is registered with the ICO and is fully compliant with UK GDPR. A company should be completely transparent about its GDPR compliance measures.

This may change in the future. These certifications may become a requirement for practices in the future, most likely starting with NHS-contracted practices, and they may eventually extend to private-only practices. But for now, the primary focus should be on robust, verifiable GDPR compliance.

Myth 3: “If a platform says they’re GDPR compliant, they must be.”

The Theory: AI platforms are externally audited for GDPR compliance. It’s an official, audited status.

The Truth: GDPR compliance is not an externally audited certification like an ISO standard. It is a framework of principles and practices that a company must implement and then self-audit

This means it is your responsibility as the Data Controller to perform due diligence and determine if your chosen software partner (the Data Processor) is genuinely compliant. You are the one who is ultimately liable to your patients. Be wary of any provider that isn’t transparent.

When considering whether to use a web-based platform, look out for a detailed, transparent GDPR page and plenty of readily available information.

Myth 4: “I need my software to be HIPAA compliant.”

The Theory: HIPAA is the global standard for medical data protection, so any good medical software needs it.

The Truth: This is false. HIPAA (the Health Insurance Portability and Accountability Act) is a United States law. It has no legal bearing in the United Kingdom.

The UK’s legal framework is governed by the UK GDPR and the Data Protection Act 2018. The requirements are different, and what matters here is compliance with UK law.

Dentascribe was built by UK dental professionals for UK dental professionals. Our focus from day one has been on meeting the stringent requirements of UK GDPR to ensure your practice and your patient data are protected.

Conclusion

Adopting AI in your practice should reduce your admin burden, not add legal anxiety. By understanding the truth behind these common myths, you can make informed decisions that protect your patients, your practice, and your professional integrity.

Always remember:

1. Consent is king. Always get explicit patient consent for audio recording.
2. Focus on UK GDPR. This is the legal framework that matters, not US-based laws like HIPAA.
3. Do your due diligence. A “compliant” sticker isn’t enough; verify their practices yourself.

At Dentascribe, we’re committed to not only providing a powerful tool but also supporting you with the knowledge to use it compliantly. If you have any questions about implementing AI safely in your practice, please don’t hesitate to get in touch.