March 14, 2025 • 5 minute read

Staying GDPR Compliant When Using Cloud-Based AI Platforms: Guidance for Practice Managers

A responsible cloud-based platform should be transparent about its GDPR compliance measures. Be wary of any provider that lacks transparency isn’t. Just because a platform claims to be GDPR compliant doesn't mean they are—and you're the one ultimately liable to your patients if they complain. Remember: Your practice is the data controller, while cloud-based solutions like Dentascribe are data processors. You maintain responsibility for your patient data and are responsible for reporting data breaches to your patients.

This guide offers step-by-step instructions for keeping your practice and organisation GDPR compliant when using cloud-based platforms. Note that some steps may not apply to your specific situation.

Checklist

1. Understand the core data protection principles (5 minutes)
2. Print out posters for your waiting room (5 minutes)
3. Update your Privacy Notice (15 minutes)
4. Sign a Data Processing Agreement (5 minutes)
5. Complete a Data Protection Impact Assessment (45 minutes)
6. Update your NHS Data Protection and Security Toolkit (if relevant)

1. Understand The Core Data Protection Principles

Lawful Basis

You must have a lawful basis for processing all personal data in your practice. The ICO Guide To Lawful Basis outlines these different bases. While you only need one lawful basis for processing, having multiple bases strengthens your position. For AI recording and documentation, there are two main bases to consider.

• Explicit Consent: Obtain clear, informed consent from patients before recording and document this in patient records. Written consent isn't required.
• Legitimate Interest: Without explicit consent, you must document the benefits to patient care and complete a legitimate interest assessment. This approach isn't recommended currently, as AI audio notes are a new technology, though it may become viable in the future.

Explicit Consent provides the strongest legal basis—that's why Dentascribe verifies you've obtained consent before beginning any recording.

Fairness

Clear justification is needed for using personal data, but this is straightforward. Be prepared to explain how AI notes benefit patients by improving both the quality and efficiency of clinical documentation, leading to better patient care. Remember to always inform patients of their right to withdraw consent and stop audio recording at any time.

Transparency

Keep patients informed about your privacy notice and audio recording practices. A simple waiting room poster can serve this purpose.

Dentascribe has provided a poster you can print out and put in your waiting room.

2. Update Your Practice Documentation

Privacy Notice

Update your privacy policy to specify how you collect personal data through audio recording, explain your use of AI note-taking, and list who can access recordings and transcripts. If you are storing audio or transcriptions, clearly state the retention period and explain how patients can request access to or deletion of their data.

Dentascribe has provided a Privacy Notice template that you can use for your practice.

Sign a Data Processing Agreement

Execute a Data Processing Agreement (DPA) with Dentascribe to establish clear responsibilities and obligations regarding data processing. The DPA outlines how patient data will be handled, stored, and protected, ensuring both parties understand their roles in maintaining GDPR compliance.

You, the clinician, agrees to a DPA when you create your account. You can also sign a DPA on behalf of your practice or organisation. Contact us at privacy@dentascribe.uk if you would like to sign a DPA.

Data Protection Impact Assessment

Conduct a DPIA to identify the potential risks of using AI notes and document the measures to mitigate these risks. Review and regularly update the DPIA.

Dentascribe has provided a DPIA template that you can use for your practice.

NHS Data Protection and Security Toolkit (if relevant)

Update your toolkit submission to reflect new policies using AI notes and third-party data processing agreements that are now in place.

3. Monitor Your Data Processor

Regularly review your platforms’ security measures and data handling practices. Monitor any updates to privacy notices. Ensure they maintain appropriate technical and organisational measures to protect patient data, and promptly report any data breaches or security incidents to your practice.

Dentascribe has an in-depth GDPR page which describes the steps that we take to stay GDPR compliant.

Conclusion

These are the key points for maintaining your practice's GDPR and data protection compliance when using AI note-taking platforms. The good news is that by using Dentascribe's templates, you can complete all this within 1-2 hours. Keep in mind that compliance is not a one-time task—it's an ongoing process that requires regular monitoring and updates.

Dentascribe is committed to supporting your GDPR compliance. Contact us at privacy@dentacribe.uk with any questions about implementing these guidelines in your practice.