Why AI review responses require regulatory care
Google reviews are now the single most visible public communication channel for dental practices in the United Kingdom. A prospective patient searching for "dentist near me" will encounter your star rating and your responses to past reviews before they ever see your website, your CQC rating, or your GDC registration number.
This creates an uncomfortable regulatory problem. The General Dental Council expects dental professionals to maintain strict confidentiality in all communications. The UK General Data Protection Regulation — retained from EU law after Brexit and supplemented by the Data Protection Act 2018 — classifies health data as a "special category" subject to the highest levels of protection. And yet, a disgruntled patient might post a detailed, one-star review naming their clinician, describing their treatment, and inviting a public response.
In this environment, many practice owners have turned to AI tools to manage their review responses at scale. The appeal is obvious: consistent tone, rapid turnaround, and fewer hours spent agonising over the right words. But AI-generated responses carry the same regulatory obligations as those written by the practice manager or principal dentist. The tool changes; the responsibility does not.
This guide sets out exactly what the GDC and UK GDPR require when responding to online reviews, how practices commonly fall short, and how Fidelia's AI is specifically engineered to stay within those boundaries.
AI review response tools are lawful to use, but every response they generate must comply with the same GDC and GDPR obligations as a manually written reply. The practice — not the software vendor — bears ultimate accountability.
What the GDC says about online communication
The General Dental Council's Standards for the Dental Team (updated 2024) comprises nine principles that apply to all forms of communication, including online review responses. Two standards are particularly relevant.
Standard 4.2 — Maintain confidentiality
"You must maintain patient confidentiality. You must not post any information or comments about identifiable patients on social networking or blogging sites. If you use professional social media to discuss anonymised cases for the purpose of legitimate peer discussion, you must be careful that the patient or patients cannot be identified."
— GDC, Standards for the Dental Team, Standard 4.2
This standard is directly applicable to Google review responses. When a patient leaves a review — even a negative one containing clinical details — the practice's response must not confirm the reviewer's identity as a patient, acknowledge any details about their treatment, or reference dates, procedures, or outcomes. In the GDC's view, even replying "We're sorry your crown didn't meet your expectations" constitutes a confidentiality breach, because it confirms both the patient relationship and the nature of the treatment.
Standard 2.1 — Respect patients' dignity and choices
"You must treat patients with dignity and respect at all times. Treat every person who seeks your professional services as an individual."
— GDC, Standards for the Dental Team, Standard 2.1
This standard is less frequently cited in the context of reviews, but it matters. A defensive or dismissive review response — even one that avoids disclosing clinical information — can be seen as failing to respect the patient's dignity. Responses that characterise a patient's complaint as unreasonable, suggest the patient is mistaken about their own experience, or use a patronising tone fall foul of Standard 2.1 and risk a formal complaint to the GDC.
Standard 1.7 — Maintain public confidence in the profession
Although less directly applicable, Standard 1.7.2 requires dental professionals to "behave professionally online and offline." The GDC has made clear through its social media guidance that public-facing responses are subject to the same professional standards as in-person communication. An argumentative reply on Google Reviews is no different, in the GDC's eyes, from an argumentative exchange in the waiting room — and can attract a fitness to practise investigation in the same way.
The GDC does not distinguish between online and offline communication. Your Google review responses are subject to the same confidentiality, dignity, and professional standards as your clinical consultations. Standard 4.2 is the one most commonly breached — and the easiest to breach accidentally.
GDPR implications of replying to Google reviews
UK GDPR — the retained version of the EU General Data Protection Regulation, as applied by the Data Protection Act 2018 — adds a second layer of regulatory complexity. While the GDC is concerned with professional conduct, the Information Commissioner's Office (ICO) is concerned with the lawful processing of personal data.
Health data as a special category
Under Article 9 of UK GDPR, data concerning health is classified as "special category data." Processing this data requires either explicit consent from the data subject or another specific legal basis set out in Schedule 1 of the Data Protection Act 2018. Critically, merely acknowledging that someone is a patient at a dental practice constitutes health data — because it implies that the individual has sought or received dental treatment.
This means that a review response such as "Thank you for being a valued patient at our practice" is, strictly speaking, a disclosure of special category personal data in a public forum without consent. In most cases the reviewer has already identified themselves as a patient, but the practice's confirmation of that relationship is still a separate processing activity by the data controller.
Article 5 — Principles of processing
Even where the reviewer has publicly disclosed their own patient status, the practice's response must still satisfy the core principles under Article 5 of UK GDPR:
- Data minimisation (Article 5(1)(c)): The response should contain no more personal data than is strictly necessary. In practice, this means the response should contain no personal data at all.
- Purpose limitation (Article 5(1)(b)): Patient data was collected for the purpose of providing dental care. Using it to respond to a public review is a different purpose and requires separate justification.
- Integrity and confidentiality (Article 5(1)(f)): The practice must ensure appropriate security of personal data, which includes not disclosing it in a public forum.
The ICO's position
The ICO has not issued specific guidance on dental review responses, but its broader guidance on health data and social media is clear: organisations processing health data must apply the highest standards of care, and any public disclosure requires explicit consent. The ICO's enforcement track record shows that healthcare providers are held to a particularly high standard. Fines under UK GDPR can reach up to £17.5 million or 4% of annual global turnover — whichever is greater.
In practice, a single carelessly worded review response is unlikely to attract a fine of that magnitude. But it could trigger an ICO investigation, which in turn could uncover wider data protection failures. More commonly, it provides ammunition for a patient complaint to the GDC, where the combination of a confidentiality breach and a data protection breach strengthens the case significantly.
Confirming someone's patient status in a public review response is a disclosure of special category health data under UK GDPR Article 9. It does not matter that the reviewer mentioned it first — the practice's confirmation is a separate data processing activity that requires its own legal basis.
How Fidelia's AI guardrails work
Fidelia was built for the UK private healthcare market specifically because generic review management platforms do not account for GDC obligations or UK GDPR's treatment of health data. Our AI response engine enforces four hard constraints on every draft it produces:
Rule 1: Never confirm patient identity
Fidelia's AI will never use phrasing that confirms the reviewer is, was, or has been a patient at the practice. This means no "Thank you for choosing us," no "We're glad you visited," and no "As your dentist, I can assure you." The AI is trained to treat every reviewer as a member of the public whose relationship with the practice is unknown — because, from a compliance perspective, that is the only safe assumption.
Rule 2: Never disclose clinical details
Even when the reviewer has described their treatment in detail, Fidelia's responses never acknowledge, confirm, or discuss those details. If a reviewer writes "my root canal went badly," the AI does not respond with anything that references root canals, endodontic treatment, or any specific procedure. It acknowledges the concern in general terms only.
Rule 3: Never make absolute medical claims
Fidelia will not generate responses containing claims such as "our treatments always achieve excellent results" or "this procedure has a 98% success rate." Such claims are misleading, potentially in breach of ASA advertising standards, and inconsistent with GDC requirements for honest communication. The AI avoids superlatives and absolute guarantees entirely.
Rule 4: Always move to a private channel
Every response Fidelia generates includes a clear invitation for the reviewer to continue the conversation privately — by telephone or email. This is the single most important compliance technique: it demonstrates responsiveness and concern without requiring any discussion of clinical or personal details in a public forum. The GDC and ICO both regard this as best practice.
Human review remains essential
Fidelia does not auto-publish responses. Every AI-drafted reply enters a review queue where the practice owner or manager can approve, edit, or reject it before publication. This is a deliberate design decision, not a limitation. The GDC holds the registered dental professional accountable for all communications made on behalf of the practice — and that accountability cannot be delegated to a software tool.
Fidelia's four guardrails — no patient confirmation, no clinical details, no absolute claims, always redirect to private — are not suggestions or defaults that can be overridden. They are hard constraints built into the AI's output filtering. Every response is also held for human review before publication.
Common mistakes practices make
Even practices with the best intentions routinely make compliance errors in their review responses. These are the patterns we see most frequently — and the ones Fidelia is specifically designed to prevent.
1. The generic template that confirms everything
The most common mistake is also the most widespread. Practices use a stock response like "Thank you for your feedback, [Name]. We're glad you chose our practice for your dental care." This single sentence confirms the patient relationship, processes the reviewer's name in the context of healthcare, and constitutes a disclosure of special category data. It is written with good intentions and is wholly non-compliant.
2. Accidentally confirming patient identity
A reviewer writes: "I had a terrible experience at this practice last Tuesday." The practice responds: "We're sorry to hear about your visit on Tuesday. We've checked our records and…" This response has now confirmed that the reviewer attended the practice on a specific date — personal data processed in a public forum. It may also suggest the practice has searched its records in connection with the review, raising further data protection questions about purpose limitation.
3. Being defensive in public
A negative review stings, and the natural impulse is to correct the record. "Actually, we followed all clinical protocols and the outcome was within normal parameters" is a response that may be factually accurate but is catastrophic from a compliance standpoint. It confirms the patient relationship, references clinical protocols applied to a specific individual, and discusses clinical outcomes in a public forum. Beyond the regulatory issues, defensive responses are also poor marketing — prospective patients reading the exchange will often sympathise with the reviewer, not the practice.
4. Responding with too much clinical detail
Some practices, particularly those proud of their clinical standards, respond to negative reviews by explaining the procedure in general terms. "Sensitivity after a composite filling is quite normal and typically resolves within two weeks" may sound educational, but in the context of a specific patient's review, it confirms the treatment type and offers a clinical opinion about the reviewer's symptoms. Both are compliance failures.
5. Ignoring negative reviews entirely
The opposite extreme — refusing to respond to any review for fear of compliance issues — is also a mistake, though not a regulatory one. Unanswered negative reviews damage the practice's Google Business Profile ranking, reduce patient trust, and create an impression of indifference. The correct approach is to respond to every review, but to do so within the boundaries set by the GDC and UK GDPR.
The most common compliance failures are not deliberate — they stem from well-intentioned templates and natural defensive instincts. A compliant response acknowledges the review, expresses concern, and redirects to a private conversation. It does nothing else.
Frequently asked questions
Yes. There is no UK law that prohibits using AI to draft or publish review responses. However, the content of those responses must comply with GDC standards on confidentiality (Standard 4.2) and UK GDPR rules on processing personal data. The tool itself is lawful — the obligation falls on the practice to ensure each response does not disclose patient information or make misleading clinical claims. Fidelia's guardrails are designed to make compliance the default, but the practice retains final approval authority over every response.
Not inherently. A breach occurs only if the response confirms that the reviewer is a patient, discloses health data, or reveals details of treatment. Under Article 9 of UK GDPR, health data is a special category requiring explicit consent for processing. A carefully worded, generic response that neither confirms nor denies a patient relationship does not constitute a data protection breach. The key principle is data minimisation under Article 5(1)(c): include no more personal data than necessary — which, in the case of a public review response, means no personal data at all.
A practice should never confirm the reviewer's identity as a patient, reference any specific treatment or appointment, disclose clinical outcomes or diagnoses, make absolute claims about treatment success rates, or respond defensively with justifications that imply knowledge of the reviewer's care. Phrases to avoid include "Thank you for choosing us for your treatment," "We're sorry your appointment didn't meet expectations," and "Our records show that…" All such details risk breaching both GDC confidentiality standards and UK GDPR special category data protections.
The GDC does not approve or endorse software products — it regulates dental professionals and their conduct. Fidelia is a review management platform designed with GDC standards and UK GDPR requirements built into its AI guardrails. Our response templates are structured to comply with GDC Standards for the Dental Team, particularly Standards 2.1 (patient dignity) and 4.2 (confidentiality). Practices remain responsible for reviewing and approving all responses before publication, consistent with the GDC's position that accountability rests with the registered professional.
Fidelia's AI is specifically constrained to never engage with clinical details in public responses. When a negative review references a clinical outcome — such as pain after a procedure, a failed restoration, or dissatisfaction with aesthetic results — Fidelia drafts a response that acknowledges the reviewer's concern in general terms, expresses the practice's commitment to high standards of care, and invites the reviewer to contact the practice directly via telephone or email. This approach satisfies GDC guidance on maintaining confidentiality whilst demonstrating that the practice takes feedback seriously.
Yes, and Fidelia is designed with this in mind. Whilst our AI guardrails prevent the most common compliance errors, the GDC holds the registered dental professional ultimately accountable for all communications made on behalf of the practice. Fidelia provides a review queue where the practice owner or manager can approve, edit, or reject each response before it is published to Google. We recommend that a GDC-registered member of the team has oversight of all outgoing responses.
See how Fidelia drafts compliant replies for your practice
Try the live demo with a real Google review — and see how Fidelia's guardrails keep your responses within GDC and GDPR boundaries, automatically.
Try the live demo →