How to Set Up Patient Communication That Complies With GDPR in UK

Running a healthcare practice in the UK means you're sending appointment reminders, lab results, follow-up messages, and payment requests every day. Most practices know GDPR exists. Fewer know what it actually requires when you're texting a patient about their appointment or emailing a lab result.

The General Data Protection Regulation didn't disappear after Brexit. UK GDPR (the domestic version) applies to every practice, clinic, and hospital. When you communicate with patients, you're processing personal data. Often health data, which the ICO (Information Commissioner's Office) considers "special category data" that requires extra protection. Get it wrong and you're looking at fines up to £17.5 million or 4% of annual turnover, plus the reputational damage of a breach notice on the ICO website.

Here's what patient communication GDPR UK compliance actually looks like in practice.

What GDPR Requires for Patient Communication

GDPR doesn't ban SMS reminders or emails. It requires six things:

Lawful basis: You need a legal reason to send messages. For NHS practices, that's usually "public task" or "vital interests." For private practices, it's "legitimate interests" (appointment management) or "consent" (marketing). Treatment communication often falls under Article 9(2)(h) for health data processing.

Transparency: Patients must know what you'll send and how you'll use their contact details. Your privacy notice should spell this out.

Data minimization: Only collect the contact details you need. If you only send SMS reminders, don't demand an email address.

Security: Communications containing health information must be protected. That means encrypted channels for anything beyond basic appointment times.

Patient rights: Patients can request copies of messages you've sent, ask you to stop contacting them, or have their data deleted.

Accountability: You need documentation showing you've thought through the risks and implemented appropriate safeguards.

Most practices trip up on security and transparency. They send unencrypted texts with too much detail or fail to document consent properly.

The Difference Between Appointment Reminders and Clinical Communication

The ICO distinguishes between administrative messages and clinical ones.

A text saying "Appointment tomorrow at 2pm with Dr. Smith" is low-risk. It confirms facts the patient already knows. GDPR allows this under legitimate interests.

A text saying "Your diabetes screening results are ready" crosses into health data. So does "Please schedule your follow-up colonoscopy" or "Your prescription for sertraline is ready."

I've worked with practices that got breached because they sent "Your STI test results are negative" via SMS. The patient's partner saw the message. The complaint went to the ICO. The practice had to prove they'd done a Data Protection Impact Assessment and offered secure alternatives. They hadn't.

For clinical communication, you need:

• End-to-end encryption or portal-based messaging
• Patient consent that specifies what types of messages they'll receive and how
• Clear documentation of that consent
• A way for patients to opt into secure messaging

Patient notifications in Formisoft let you control exactly what goes in each message type. You can send bare-bones appointment reminders via SMS while routing anything clinical through the patient portal where it's encrypted and access-controlled.

SMS vs. Email vs. Portal: What the ICO Actually Expects

Standard SMS isn't encrypted. Anyone with access to the patient's phone (family member, repair shop, lost device) can read messages. The ICO says SMS is acceptable for low-risk admin messages but risky for health data.

Email is slightly better if you use TLS encryption, but most patients use personal Gmail accounts that aren't GDPR-compliant on their end. You can't control what they do with forwarded messages.

Patient portals meet GDPR's requirements for secure communication if they:

• Require authentication (password or biometric)
• Encrypt data in transit and at rest
• Log access attempts
• Let patients control their own data

The ICO expects practices to offer secure options for anything health-related. You don't have to force patients onto portals, but you need to document that you offered a secure channel and they chose SMS.

Formisoft's online booking and portal system give you both: patients book appointments through an authenticated portal, but you can still send basic reminders via SMS if that's what they prefer. The system documents their preference.

Consent for Patient Communication Under GDPR

NHS practices can usually rely on "public task" for core treatment communication. Private practices need either legitimate interests or explicit consent.

Consent must be:

• Freely given (not bundled with treatment acceptance)
• Specific (separate boxes for SMS, email, portal notifications)
• Informed (your privacy notice explains what you'll send)
• Unambiguous (clear opt-in, not pre-ticked boxes)
• Revocable (easy way to stop messages)

Most practices mess this up during intake. They hand patients a generic "I agree to receive communications" checkbox. That's not specific enough.

Your new patient intake form should ask:

• Preferred contact method for appointments (SMS/email/portal)
• Preferred contact method for results (usually portal only)
• Whether they consent to appointment reminders
• Whether they want billing and payment messages
• Whether they opt into newsletters or health tips (clearly marked as marketing)

Each preference should be separate. You document which they chose. If they later complain about unwanted messages, you have proof they opted in.

I've seen practices get complaints because they assumed "you have my mobile number" equals consent for all messages. The ICO doesn't see it that way.

What Happens When You Send Too Much Information

A dermatology clinic in Leeds got reported last year. They sent "Your biopsy for the lesion on your left breast came back clear" via SMS. The patient's teenage daughter saw it on the lock screen. The patient filed a complaint.

The ICO investigation found:

• No Data Protection Impact Assessment for SMS clinical results
• No documented consent for SMS health data
• No secure alternative offered
• Privacy notice didn't mention clinical texts

The clinic got a reprimand and had to overhaul their entire communication workflow. They now use a portal for results and SMS only for "results available, log in to view."

This isn't theoretical. Practices get caught because staff take shortcuts when they're busy, EMR systems auto-generate messages with too much detail, nobody reviewed what the automated texts actually say, or the practice assumed texts were fine because "everyone does it."

I walk practices through this during onboarding. We test every message template. If it mentions a condition, medication, or test result, it goes through the portal. If it's an appointment time and location, SMS is fine.

Third-Party Communication Tools and Data Processor Agreements

Most practices use third-party tools for SMS, email, or portals. Under GDPR Article 28, that makes the vendor a data processor. You need a written contract (Data Processing Agreement or DPA) that specifies:

• What data they can access
• How they'll protect it
• That they'll only process data on your instructions
• What happens if there's a breach
• How they'll help you respond to patient rights requests
• What they'll do with data when you stop using them

Twilio, Mailchimp, and similar platforms offer DPAs, but you have to request them. Using a vendor without a signed DPA is a GDPR violation even if nothing goes wrong.

Formisoft's DPA is built into the terms. When you use our patient notifications or appointment scheduling, the agreement covers data processing, breach notification, and data deletion. You're not hunting down paperwork from five different vendors.

We're also UK-hosted with ISO 27001 certification and regular penetration testing. The ICO wants to see that your vendors take security seriously.

Patient Rights and Communication Preferences

GDPR gives patients rights that apply to your communication practices:

Right of access: If a patient requests their data, that includes copies of messages you've sent.

Right to erasure: When a patient leaves your practice, you can't keep sending them marketing emails. You must delete their contact preferences.

Right to object: A patient can say "stop texting me" and you must comply. You document the objection and suppress future messages.

Right to restrict processing: A patient can ask you to pause communication while they review how you're handling their data.

You need a process for handling these requests. That means a way to track objections, suppress contacts, and respond within 30 days. Ignoring a patient's request to stop texting them is a violation that the ICO takes seriously.