WhatsApp and GDPR for
dental practices.
It’s the first question practices ask, and rightly so. Here’s the practical guide: lawful basis, the Business API, consent, data processing, opt-outs, and the DPA — done properly, WhatsApp is a fully compliant patient channel.
This is a practical guide for practice owners, not legal advice. For your specific circumstances, check with your DPO or a data-protection adviser. The principles below reflect how UK GDPR applies to routine patient communication.
The five things that make WhatsApp compliant
Get these five right and messaging patients on WhatsApp is on solid ground. Get any of them wrong — most often the personal-account trap — and you have a problem.
- 1Lawful basis
Have a recorded lawful basis for each type of message. Service communication to existing patients about their own care generally sits under legitimate interest; keep it service-focused, not promotional.
- 2Official Business API
Use the Meta WhatsApp Business API, not a personal WhatsApp on a staff phone. The Business API gives you verified identity, approved templates, and structured consent handling.
- 3Clear opt-out
Every patient must be able to stop messages in one step, and the system must honour it permanently and automatically across all message types — not as a note someone might miss.
- 4Data minimisation
Only process the patient data you actually need to send the message, and only for patients who are genuinely yours. Never message scraped or purchased contacts.
- 5Data Processing Agreement
Have a signed DPA with any provider processing patient data on your behalf, setting out what's processed, why, and the safeguards in place.
Lawful basis: consent vs legitimate interest
The confusion usually comes from mixing up two different things. Service communication is contacting your own existing patients about their own care — an appointment reminder, a recall when they’re due, a review request after a visit, help re-booking. A patient reasonably expects this, so it generally sits under legitimate interest, provided it’s not dressed up as marketing and there’s always an easy opt-out.
Marketing — promoting offers to people who aren’t your patients, or cold outreach — is a different and much stricter world, typically needing explicit consent. SuiteGrowth deliberately stays on the service side: it only ever contacts real, attended patients from your own Dentally system, about their own care. It never messages scraped, purchased, or cold contacts.
The Business API vs personal WhatsApp
This is the single most common compliance mistake. Running patient messages through a personal WhatsApp on a staff member’s phone means no structured consent, no reliable opt-out handling, no audit trail, and patient data sitting on a personal device. It doesn’t scale and it doesn’t stand up to scrutiny.
The official Meta WhatsApp Business API is the compliant route: a verified business sender, pre-approved message templates, and structured consent and opt-out handling built in. SuiteGrowth runs entirely on the Business API, from your own practice number — never a personal account.
Opt-outs, data processing and the DPA
A compliant opt-out is one step and permanent. A patient replies STOP, and the system must never message them again — across every message type, automatically. In SuiteGrowth this is enforced in code, not left to a member of staff to remember, so an opted-out patient is suppressed everywhere at once.
Because a provider processes patient data on your behalf, UK GDPR requires a Data Processing Agreement. SuiteGrowth provides one setting out exactly what data is processed and the safeguards around it — you can read our DPA and GDPR approach before committing to anything. If you’re weighing us up more broadly, we also answered “is SuiteGrowth legit?”
GDPR questions, answered
Is it GDPR-compliant to message dental patients on WhatsApp?
Yes, provided a few things are in place: a lawful basis for the message, the use of the official Meta WhatsApp Business API rather than a personal account, a clear and honoured opt-out, and a Data Processing Agreement with any provider handling patient data on your behalf. Service communication to your own existing patients about their own dental care — reminders, recalls, review requests, re-booking — generally sits comfortably under legitimate interest. It's cold marketing to people who aren't your patients that causes problems.
What is the lawful basis for messaging patients?
For most patient communication, the lawful basis is legitimate interest: you're contacting an existing patient about their own care through a channel they can opt out of at any time. The patient has a reasonable expectation of being contacted about appointments and their treatment. You should record the basis, keep the messages service-focused rather than promotional, and always provide an easy opt-out. Explicit consent is a separate, stricter basis that's more relevant to marketing than to service communication.
Can we just use the practice's WhatsApp on a staff phone?
It's strongly discouraged. A personal WhatsApp account has no proper consent or opt-out handling, mixes patient data with someone's personal device, has no audit trail, and can't scale. The compliant route is the official Meta WhatsApp Business API, which is built for organisations, with verified sender identity, approved templates, and structured opt-out handling. SuiteGrowth runs entirely on the Business API, never a personal account.
How should opt-outs be handled under GDPR?
An opt-out has to be easy and permanent. A patient should be able to stop messages in one step — for example by replying STOP — and once they do, the system must never message them again. This can't be a manual note someone might forget; it needs to be enforced by the software. SuiteGrowth honours opt-outs permanently in code, so an opted-out patient is suppressed across every message type automatically.
Do we need a Data Processing Agreement?
Yes. If a provider processes patient personal data on your behalf, UK GDPR requires a Data Processing Agreement (DPA) setting out what data is processed, why, and the safeguards around it. It's a standard, expected part of using any patient-communication software. SuiteGrowth provides a DPA — you can review ours ahead of signing anything.
Is SuiteGrowth GDPR-compliant?
SuiteGrowth is built to be. It only messages real, attended patients pulled from your Dentally system — never scraped, purchased, or cold contacts — runs on the official Meta WhatsApp Business API, honours opt-outs permanently in code, and provides a Data Processing Agreement. Compliance isn't a bolt-on; it's how the system is designed to work.
Your next 100 five-star reviews are waiting.
Book a 15-minute call. We’ll show you exactly what your patients would receive, and the reviews and bookings it would win you.
Takes 60 seconds · pick a time in the next few days · no setup fee