Can I try PaulSpeaks apps for free?

Yes! All PaulSpeaks apps offer a 24-hour free trial with no credit card required. You can test the full features before deciding to subscribe.

What payment methods do you accept?

We accept all major credit cards, PayPal, GCash, and bank transfers for B2B products.

Do you offer annual discounts?

Yes! Most apps offer 55% off when you pay annually. Business apps offer quarterly and annual discounts as well.

Is there a money-back guarantee?

Yes, all B2B products include a 24-hour free trial. If unsatisfied with paid subscriptions, contact our support team within 7 days for a refund.

11 February 2026|7 min read

Sending Appointment Reminders Under GDPR: What UK Practices Need to Know

The GDPR Question Every Practice Asks

If you run a dental practice, GP surgery, clinic, or beauty salon in the UK, you have almost certainly wondered: is it legal to send SMS and email appointment reminders under GDPR?

The short answer is yes, it is legal, and for most healthcare and appointment-based businesses, it is more straightforward than you might think. But like everything related to data protection, the details matter. This article explains the legal basis for sending appointment reminders, what you need to have in place, and the practical steps to ensure full compliance.

Let us be clear from the outset: GDPR is designed to protect people's personal data, not to prevent businesses from communicating with their own patients and clients. Appointment reminders are a normal, expected part of the service relationship, and the law reflects this.

Understanding UK GDPR: The Basics

Since the UK left the EU, the UK has its own version of GDPR -- the UK General Data Protection Regulation, supplemented by the Data Protection Act 2018. The principles are essentially the same as EU GDPR, but enforcement is handled by the Information Commissioner's Office (ICO) rather than EU regulators.

Under UK GDPR, you need a lawful basis to process personal data (which includes sending someone an SMS or email). There are six lawful bases, and two of them are directly relevant to appointment reminders:

Legitimate interest: Processing is necessary for your legitimate business interests, provided those interests are not overridden by the individual's rights
Consent: The individual has given clear, specific consent to their data being used in this way

For appointment reminders, legitimate interest is generally the most appropriate and practical legal basis. Consent can also work, but it comes with additional requirements that legitimate interest avoids.

Legitimate Interest: The Practical Choice

The ICO recognises that businesses have legitimate reasons to communicate with their existing clients about services those clients have requested. Sending an appointment reminder to a patient who has booked an appointment with you is a textbook example of legitimate interest.

Here is why legitimate interest works for appointment reminders:

The patient has an existing relationship with your practice. They actively booked the appointment, providing their contact details for this purpose.
The reminder directly relates to a service they requested. You are not sending marketing or promotional material -- you are reminding them about something they asked for.
The patient reasonably expects to receive the reminder. Appointment reminders are standard practice across healthcare and beauty. No patient would be surprised to receive one.
The reminder benefits the patient. It helps them attend their appointment and avoid wasting their own time through a forgotten booking.
The intrusion is minimal. A brief, factual reminder SMS is not intrusive or unwanted in the vast majority of cases.

To rely on legitimate interest, you should conduct a Legitimate Interest Assessment (LIA). This sounds formal, but for appointment reminders it is straightforward. You document the purpose (reducing no-shows, helping patients remember appointments), the necessity (reminders are the most effective way to achieve this), and the balancing test (the patient's interest in being reminded outweighs any minimal privacy intrusion).

What About Consent?

You can also use consent as your legal basis for sending appointment reminders. However, consent under GDPR has specific requirements:

It must be freely given -- the patient must not feel pressured to consent
It must be specific -- consent for reminders must be separate from consent for marketing
It must be informed -- the patient must know what they are consenting to
It must be unambiguous -- typically a clear tick box or positive action, not a pre-ticked box
It must be withdrawable -- the patient must be able to opt out at any time

The reason legitimate interest is often preferred over consent for reminders is that consent can be withdrawn at any time. If a patient withdraws consent for reminders, you lose the ability to remind them about appointments they have booked -- which is bad for them as well as for your practice.

With legitimate interest, the patient can still object to receiving reminders (and you must honour that objection), but the default position is that reminders are sent as part of the normal service. This is more practical for both parties.

What to Include in Your Privacy Notice

Regardless of which legal basis you use, your practice must have a privacy notice that tells patients how their data is used. This should be available on your website, in your reception area, and ideally provided to new patients at registration.

Your privacy notice should include the following information regarding appointment reminders:

What data you collect: Name, phone number, email address, appointment details
Why you process it: To send appointment reminders and confirmations to reduce missed appointments
The legal basis: Legitimate interest (or consent, if that is your chosen basis)
Who processes the data: If you use a third-party reminder service like PaulSpeaks Reminder, this should be named as a data processor
How long data is retained: Specify your retention period (e.g., appointment data retained for 12 months after the appointment)
The patient's rights: Right to object, right to access their data, right to request deletion
How to opt out: Clear instructions for patients who do not wish to receive reminders

A well-written privacy notice does not need to be pages of legal jargon. The ICO encourages clear, plain language that patients can actually understand.

The Right to Opt Out

Under both legitimate interest and consent, patients have the right to opt out of receiving appointment reminders. Your system must make this easy. The simplest approach is to allow patients to reply STOP to any SMS reminder, which immediately suppresses future messages to that number.

In practice, very few patients opt out of appointment reminders. The ICO's own research shows that the public generally welcomes reminders from their healthcare providers. Opt-out rates for appointment reminders are typically well below 1%, because the reminders are genuinely useful and expected.

If a patient does opt out, you must respect their decision and suppress future reminders to their number. Your reminder system should maintain an opt-out list to ensure compliance.

Data Processing and Third-Party Providers

If you use a third-party service to send appointment reminders -- which most practices do, because building your own SMS system is impractical -- that service is acting as a data processor under GDPR. You, as the practice, are the data controller.

You need a Data Processing Agreement (DPA) with your reminder service provider. This is a legal document (usually provided by the service as part of their terms) that specifies:

What data the processor handles (patient names, phone numbers, appointment details)
How the data is stored and secured
That the processor only uses the data for the purposes you specify
What happens to the data when you stop using the service
Security measures in place to protect the data

Reputable reminder service providers like PaulSpeaks Reminder provide a standard DPA as part of their service agreement. If your provider cannot provide a DPA, that is a red flag and you should look elsewhere.

Data Retention: How Long Can You Keep Appointment Data?

GDPR requires that personal data is not kept for longer than necessary for the purpose it was collected. For appointment reminders, the data (patient name, phone number, appointment date and time) is needed for the duration of the appointment cycle -- from booking through to the appointment date.

In practice, most businesses retain appointment data for a reasonable period after the appointment for administrative purposes (billing, complaints, re-booking). A retention period of 6 to 12 months after the appointment date is generally considered reasonable for reminder-related data.

Healthcare practices may have longer retention obligations for clinical records under separate NHS and regulatory frameworks, but the reminder data itself (the SMS sent, the confirmation received) does not need to be kept indefinitely.

The PECR Angle: Electronic Communications

In addition to GDPR, the Privacy and Electronic Communications Regulations (PECR) apply to SMS and email communications in the UK. PECR restricts unsolicited marketing communications, requiring consent before sending promotional messages.

The critical point for appointment reminders is that they are not marketing. An appointment reminder is a service message -- it relates directly to a transaction (the appointment) that the patient has initiated. Service messages are not covered by PECR's marketing restrictions.

However, if you include promotional content in your reminder messages -- for example, "Do not forget your appointment tomorrow. Also, we have a special offer on teeth whitening this month!" -- the message may be reclassified as marketing, which would require separate consent under PECR.

The safest approach is to keep reminder messages purely informational: appointment details, confirmation request, and contact information. No promotions, no cross-selling, no marketing. This keeps your reminders firmly in the service message category.

Practical Compliance Steps

Here is a straightforward checklist for ensuring your appointment reminder system is fully GDPR compliant:

Choose legitimate interest as your legal basis and document a Legitimate Interest Assessment
Update your privacy notice to mention appointment reminders and name your reminder service provider
Ensure your reminder provider has a DPA available and sign it
Provide an easy opt-out mechanism (reply STOP) and maintain an opt-out list
Keep reminder messages factual -- no marketing content
Set a data retention policy for appointment and reminder data
Inform patients at registration that they will receive appointment reminders as part of the service
Review your compliance annually to ensure everything remains up to date

For most practices, this process takes an afternoon to set up properly and requires minimal ongoing maintenance. The ICO provides excellent free guidance on its website for small businesses, and the process is far less daunting than many practice managers fear.

The Bottom Line: Reminders Are Not a GDPR Problem

GDPR should not be a barrier to implementing appointment reminders. The regulations are designed to protect against misuse of personal data -- not to prevent a dentist from texting a patient to remind them about tomorrow's check-up.

With a properly documented legitimate interest basis, a clear privacy notice, and a GDPR-compliant reminder service like PaulSpeaks Reminder, you can send automated SMS and email reminders with complete confidence that you are operating within the law.

The far bigger risk is not sending reminders and losing tens of thousands of pounds a year to preventable no-shows. Get compliant, get automated, and get your diary under control.