Deprecated: Function create_function() is deprecated in /nas/content/live/evolveconsult/wp-content/themes/salient/functions.php on line 5598

Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /nas/content/live/evolveconsult/wp-content/plugins/js_composer_salient/include/classes/core/class-vc-mapper.php on line 111
Legislation – Evolve Consulting Group



CPD Changes from GDC

The enhanced CPD scheme is starting on 1 January 2018 for dentists and 1 August 2018 for dental care professionals. Registrants risk removal from the register if they do not comply.

Enhanced continued professional development (ECPD)

The GDC has now published the enhanced CPD guidance document which is available on their website

Depending on your professional status, a minimum number of hours of verifiable CPD for each five-year cycle needs to be completed, as set out below.

Professional title Minimum hours of CPD per cycle
Dentists 100
Dental therapists 75
Dental hygienists 75
Orthodontic therapists 75
Clinical dental technicians 75
Dental nurses 50
Dental technicians 50

All registrants must also ensure that they declare at least 10 hours during any 2-year period, regardless of how many hours they have done during their cycle.​​

  • A Personal Development Plan (PDP) must be completed by 31 December 2017, available for future inspection by the GDC
  • All CPD must be linked to one of four ‘development outcomes’, a new GDC metric
  • You must submit a CPD statement every year as part of your annual renewal
  • There is no more need to record non-verifiable CPD from 1 January 2018
  • You must keep a log of CPD undertaken throughout the year.

For those in mid-cycle, the GDC have produced an online tool to help manage your CPD.

Frequently Asked Questions

Do I need to submit a CPD statement every year?

​Yes, it is a mandatory requirement to submit a CPD statement every year as part of your annual renewal. A statement must be made even if you have not undertaken any CPD hours. Failure to do so may put your registration at risk.

What is a Personal Development Plan?

​ A personal development plan must be created for each CPD cycle. A personal development plan specifies the areas of CPD you propose to undertake over the course of your cycle. It should be created at the start of your cycle but can be adapted throughout your cycle as your needs change.

Do I need to do any non-verifiable CPD?

​There is no mandatory requirement to inform the GDC of any non-verifiable CPD completed under the enhanced CPD scheme. However, if you are part way through your CPD cycle and transitioning to the enhanced CPD scheme, you will still be required to declare a pro-rata amount of non-verifiable CPD for those years that fell under the old CPD rules.

Will the GDC be quality assuring CPD?

​No. The GDC does not have the power to quality assure CPD.

I haven’t completed enough hours over my 5 year CPD cycle, can I have an extension?

If the minimum CPD requirement have not been completed. A request for a cycle extension can be submitted in writing 6 months before the end of the cycle.

For any further queries regarding a extension possibilities, please contact the CPD team at the GDC on +44 (0)20 7167 6000 or via email at

What do I need to keep for my written record?

​You need to keep a written record of:

  • a personal development plan which details all the CPD you plan to undertake, which is created from the beginning of your cycle but which can be adapted throughout your cycle as your needs change;
  • a log of the CPD you actually undertook- including the date it was undertaken and number of hours gained from each CPD activity;
  • the evidence (e.g. certificate) you gained from the providers for each CPD activity;
  • the development outcomes mapped against all planned and completed CPD activities

 What is the difference between a CPD statement and a CPD record?

A CPD statement is a declaration that you are required to submit each year to confirm that you have met the requirements set out in the CPD rules.

To ensure compliance your statement should confirm:

  • The number of verifiable CPD hours undertaken in that year, or if you have done no hours in that year, then confirm you have done zero hours;
  • A CPD record;
  • The CPD undertaken is relevant to your field of practice;
  • That the information you have provided is full and accurate.

A CPD record is the documentary evidence demonstrating each item of CPD you have undertaken. This comprises a personal development plan and log of all CPD activity you complete. You only need to show us your CPD record if we specifically ask you for it.

Your CPD record should contain:

  • a personal development plan which details all the CPD you plan to undertake, the development outcomes that you aim to meet and timeframe for completing the CPD. This should be created at the start of your cycle and adapted throughout your cycle as your needs change,
  • a log of the CPD you undertook- including the date it was undertaken, number of hours gained from each CPD activity
  • the evidence (e.g. certificate) you gained from the providers for each CPD activity
  • the development outcomes mapped against all planned and completed CPD activity.

 What do I need to give to the GDC and when?

For each year of your cycle, you must declare to the GDC that you have completed your CPD requirements for that year. You can do this by logging on to eGDC at any time of the year and making your annual CPD statement.

When your registration year has ended and the declaration period is closed for that year, you will not be able to amend your CPD statement for that year.

In the final year of your cycle, your annual statement must include:

  • The total number of hours of CPD you have undertaken in your five year cycle;
  • Confirmation that the CPD you completed was relevant to each field of practice you worked in for the five year period.
  • What if I am on maternity leave? Will this change my CPD requirement?
  • ​If you are on maternity leave and wish to remain registered, you will still need to meet your CPD requirements. This means you must fulfil all the requirements under the enhanced CPD scheme.

You do not need to physically submit your CPD record unless you are asked to. You may be asked to submit if you are non-compliant or for an audit.

For specific queries, or to book CPD courses for yourself or your practice, contact us. 

[gravityform id=”4″ title=”true” description=”true”]




Data Protection GDPR

What is the EU GDPR?

The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018 and all organisations are required to be compliant with GDPR by this date. The new regulation supersedes the implementations of the EU Data Protection Directive of 1995, which is the basis for the UK Data Protection Act 1998. The UK government’s new data protection legislation is expected to implement a large proportion of the GDPR and was published yesterday September 14 2017.

Why did the EU change its data protection regulations?

The previous data protection regulations were considered outdated for today’s increasingly digital society. The new legislation champions greater rights to data subjects, while streamlining data protection laws across the EU.

What about Brexit?

The new Data Protection Bill is based on the GDPR thus the majority of the legislation will remain the same. The Information Commissioner will continue to enforce Data Protection in the UK, and has confirmed that the GDPR will apply.

What is different about the GDPR?

  • Individuals and organisations who are either ‘controllers’ or ‘processors’ of personal data are covered by the GDPR. A ‘controller’ is in individual or entity that determines the purpose and manner of personal data use. A ‘processor’ is an individual or group that ‘processes’ the data on the controller’s behalf (obtaining, recording, altering or storing personal data)
  • Companies governed by GDPR will be more accountable for handling data
  • ‘Personal data’ will have a more broad definition, therefore more data will be regulated than previously, including an individual’s genetic, mental, economic, social, cultural identity.
  • Certain companies that process large scale or special personal data will have to employ a data protection officer (DPO)
  • The DPO must have sufficient knowledge in order to understand and meet the standards set by the bill
  • Mandatory Data Protection Impact Assessments (DPIA) have been introduced for high-risk data processing, which build on existing good practice Privacy Impact Assessments (PIA) as previously set out by the ICO as part of the Data Protection Act 1998
  • Data breach notifications will need to be made within 72 hours to the ICO including financial loss, confidentiality breaches and reputation damage
  • Data processors will also have legal responsibility and therefore may be held accountable for data breaches
  • The rules for obtaining consent have changed. A ‘positive opt in’ policy will be employed; explicit consent must be obtained to process data, by explaining in a clear manner that consent is being given for data to be used
  • Consent will be required for processing children’s data (under the age of 16)
  • There are restrictions on international data transfers
  • Hefty penalties have been introduced; organisations found in breach of the Regulation may be fined up to 4% of annual turnover or a maximum of €20 million – whichever is greater
  • There are processes in place for deletion of data; data subjects have a ‘right to be forgotten’
  • Individuals can now request information free of charge, whereas previously a Subject Access Requests would permit companies to charge £10 for data to be provided.
  • Time restrictions are in place for providing individuals with personal data- one month from the date of request

Things to consider in your practice- GDPR FAQs

Dental practices will hold personal data and ‘special’ – health – data

Who registers?

Employers and practice owners should register as controllers. Self employed associates should also register individually as controllers. Staff members who are employed or DFTs may be covered by their employer’s registration

Appointing a data protection officer

As dental practices process health data, this is considered ‘special’ data according to GDPR, therefore you will be required to appoint a DPO. Consider who you would appoint within your practice to lead data protection compliance. The DPO has a series of responsibilities which are directly set by the ICO, therefore this role will require some time from your staff members. The individual you choose is likely to require additional training to familiarise themselves with the legislation in order to facilitate GDPR changes by 25 May 2018. Some organisations consider outsourcing the role to an external consultancy to ensure compliance is met and standards are trained.

Determine what sort of data you hold and how it is stored

If you use online backups for your data, such as a Cloud server- check its location. Data should be held within the EU in accordance with the legislation. You may need to organise an information audit to determine the type of data you process.

What about Invisalign cases? This requires transfer of sensitive data to a non EU country. 

A risk assessment must be carried out for all international data transfers. Although the US has HIPAA (data protection for healthcare organisations), this is not as stringent as the GDPR. However, there is discussion of a US/EU safe-harbour.

Interestingly, Align Techonology Inc (Invisalign) was the first company to successfully close a dual application for BCR (binding corporate rules) for both processors and controllers, which ensured data protection compliance in global information transfer under previous data protection directives. It is likely that Align will continue to uphold its commitment to data protection compliance as the GDPR unfolds.

Deletion of data- will we be required to delete dental records if a patient requests?

As dental records fall under ‘special’ data, these would not undergo deletion

How does ‘positive opt-in’ affect us?

This determines how a patient wishes to be contacted by the practice. While previously an individual may be contacted via any means and would have to notify the organisation if they preferred to opt out of communication, they would now have to opt in. This can be relevant with your practice marketing; you will now need to gain consent for marketing emails, text messages and post. We suggest having a tick box on the medical history form confirming how patients would prefer to be contacted, and explicitly requesting their consent to do so.

The Information Commissioner’s Office (ICO) recommends that businesses commence their preparation. More changes and guidance will be released by the ICO over the coming months.


As further developments in GDPR legislation and how it will be implemented in health-care unfold, we can continue to keep you informed.


We have formulated an action plan which allows you to determine steps you must take for your practice to meet the standards. This will incorporate the required PIA, so that your assessment is in line with the Regulation.


We will train your chosen DPO to ensure that they meet the required standards, understand the GDPR and how to begin implementing it into your practice.

Data Protection Assessments 

Our Risk Assessment services are all in-House. We visit your practice and conduct a thorough Data Protection Risk Assessment. A report is generated with an action plan for you to follow and implement, that is specific to your practice.


Our consulting services are always bespoke, and data protection is no exception. We can formulate a tailor-made package for you in which we determine via Risk Assessment what steps are required for your practice to meet the Regulation, provide training for your DPO, and manage the required action plan. GDPR is taken care of by us.

[gravityform id=”4″ title=”true” description=”true”]