How to Set Up SMS Reminders That Comply With GDPR in UK

I spent an hour last week helping a GP surgery in Manchester fix their SMS reminder setup. They'd been sending appointment texts for months, thinking they were fine because patients "obviously wanted reminders." Then someone filed a GDPR complaint. The practice hadn't documented consent, hadn't included opt-out instructions, and was storing mobile numbers longer than necessary.

GDPR compliance for SMS reminders isn't optional. The General Data Protection Regulation applies to every practice sending appointment texts, and the Information Commissioner's Office (ICO) takes violations seriously. If you're collecting mobile numbers and sending reminders, you're processing personal data. Here's how to do it right.

What GDPR Actually Requires for SMS Reminders

The regulation sets clear rules for processing patient data through text messages. You need lawful basis (usually consent or legitimate interests), transparent processing, data minimization, and security measures.

Most UK practices rely on consent as their lawful basis. That means explicit, informed, freely given consent before you send that first text. "We might contact you" buried in a 10-page form doesn't cut it. The ICO expects you to clearly explain what you'll send, how often, and how patients can opt out.

Legitimate interests can work for appointment reminders (it's in the patient's interest to remember their appointment), but you still need to document your reasoning and give patients the right to object. I've seen NHS practices successfully use this approach, but private clinics often stick with consent because it's clearer.

Getting Valid Consent for SMS Appointment Reminders

When patients book their first appointment, ask clearly: "Would you like appointment reminders by text message? We'll send one reminder 24 hours before your appointment. You can opt out anytime by replying STOP."

That checkbox needs to be unchecked by default. Pre-ticked boxes aren't valid consent under GDPR. The patient takes action to opt in.

Document when they consented, what they consented to, and how they gave consent. If someone questions it two years later, you can show exactly what they agreed to and when. I recommend patient management tools that automatically log consent timestamps and details.

The consent must be specific to SMS reminders. You can't bundle it with consent for marketing emails or data sharing. Separate question, separate consent, separate documentation.

What Your Reminder Messages Must Include

Every SMS reminder you send needs an opt-out mechanism. "Reply STOP to unsubscribe" is standard. Some practices add their name: "Dr. Smith's Surgery - Appointment Tuesday 2pm. Reply STOP to opt out."

Keep the message focused on necessary information: appointment date, time, location if you have multiple sites, and opt-out instructions. Don't add promotional content. Don't mention specific conditions or treatments (a text saying "Your diabetes check-up is tomorrow" violates medical confidentiality if someone else sees the phone).

The ICO recommends keeping messages generic: "Appointment reminder: You have an appointment on [date] at [time] at [practice name]." That's it. Clinical details stay in the clinic.

Data Retention and Security Requirements

GDPR requires you to keep mobile numbers only as long as necessary. If a patient hasn't booked an appointment in 18 months and you have no clinical reason to retain their record, you should delete their mobile number (or their entire inactive record, following your retention policy).

Active patients are different. You keep their mobile number as long as they're receiving care and haven't withdrawn consent. But when they leave your practice, that number comes out of your reminder system promptly.

Security matters because mobile numbers are personal data. Your SMS platform needs encryption in transit and at rest. Access should be limited to staff who need it for appointment management. Logs should track who viewed or edited mobile numbers.

I worked with a dental practice that discovered reception staff were copying patient mobile numbers into personal phones "to be helpful." That's a GDPR violation and a security risk. Tools like team management help you control who accesses what data.

Setting Up SMS Reminders in Your Practice Management System

Start with your data collection point. Whether you use online booking or front desk registration, the mobile number field should include an opt-in checkbox for SMS reminders. The checkbox label explains exactly what patients are consenting to.

Your system should automatically generate reminder messages based on appointment scheduling. If you're doing this manually, you're creating compliance risks and wasting time. Automation ensures consistent timing, consistent messaging, and proper documentation.

Configure timing carefully. Most practices send one reminder 24-48 hours before the appointment. Sending more than that requires justification. Why do patients need three reminders for a single appointment? Keep it proportionate.

Test your opt-out mechanism religiously. Reply STOP should immediately suppress future messages for that patient. I've seen systems where STOP went into a queue for manual processing. That's not good enough. The patient said stop, so you stop.

Handling Patient Rights Under GDPR

Patients can request access to their data (including SMS logs), request corrections, request deletion, or object to processing. Your system needs to handle these requests within one month.

When someone asks what SMS messages you've sent them, you pull the log. When they ask you to delete their mobile number, you delete it (unless there's a legal reason to retain it, like ongoing treatment). When they object to SMS reminders, you stop sending them and document the objection.

Most practices face these requests rarely, but you need a clear process. Who handles the request? How do you verify the patient's identity? Where do you document your response? I recommend building this into your pre-visit intake automation workflow so rights requests get tracked like any other patient interaction.

NHS vs Private Practice Considerations

NHS practices have additional guidance from NHS Digital and local ICBs (Integrated Care Boards). The NHS sets expectations around reminder frequency, message content, and accessibility.

Private practices follow the same GDPR rules but have more flexibility in implementation. You're not bound by NHS technical standards, though following them isn't a bad idea.

Both NHS and private practices must register with the ICO if they process patient data electronically. That registration costs £40-£2,900 annually depending on practice size. It's not optional.

Third-Party SMS Providers and Data Processing Agreements

If you use an SMS gateway service (most practices do), that provider is your data processor. GDPR requires a written data processing agreement (DPA) specifying how they handle patient mobile numbers and message content.

Your DPA should cover data security measures, data location (UK or EU preferred), subprocessor approval, breach notification timelines, and deletion procedures. The provider should give you this agreement automatically. If they don't, ask. If they won't provide one, find a different provider.

Check where your messages route through. Some SMS providers send UK messages through international carriers. That's a data transfer issue. Make sure adequate safeguards exist under GDPR Chapter V.

Formisoft's patient notifications include compliant SMS reminders with built-in consent management and GDPR-ready documentation. You're not figuring out data processing agreements with multiple vendors.

Common GDPR Mistakes With SMS Reminders

The biggest mistake is assuming consent. "They gave us their mobile number, so obviously they want texts" isn't how GDPR works. You need explicit consent for SMS reminders specifically.

Second: keeping mobile numbers indefinitely. You don't need a phone number from 2019 for a patient who moved practices in 2020. Clean up your data.

Third: no opt-out mechanism or a broken one. STOP must work immediately, not "within 48 hours" or "after manual review."

Fourth: sharing too much clinical information in the text. Keep it generic. The appointment reminder doesn't need to mention what the appointment is for.

Fifth: no data processing agreement with your SMS provider. You're responsible for your processor's compliance. Get it in writing.

What Working SMS Reminder Compliance Looks Like

You collect mobile numbers with clear, specific consent. You document that consent with timestamps. You send concise, generic reminders with functioning opt-out instructions. You process STOP requests immediately. You delete numbers when no longer needed. You have a DPA with your SMS provider. You can demonstrate all of this to the ICO if asked.

Practices doing this well report 30-40% reductions in