Copyright Doncaster LMC ©   (Company Reg No 6775496) .  All rights reserved.

Terms & Conditions     Oops, I’ve spotted a mistake     Fair process notice

General Data Protection Regulation (GDPR)

The General Data Protection Regulation or GDPR is a European law that applies to industries who supply services to European citizens.  It comes into force on the 25th May 2018 and is hoped to unify data protection and regulation across 28 member EU states.  The GDPR is in addition to current UK laws that govern the use of data.

Information held about persons for the use of healthcare is classed as a special category and as such becomes subject to specific protection due its sensitive nature.

Top Tips!

The GDPR does not just apply to patient records but also applies to any form of data held by or processed by an organisation about EU citizens, irrespective of where that organisation is based in the world.

GDPR is much more widely applicable than just patient data.  

It also applies to (but is not limited to)

Employee records

Payroll activities

HMRC activities (“taxes”)

Website usage (website cookies, online forms, google analytics, facebook, twitter etc)

Audio and visual recording (recording telephone calls, training videos)

…and more!

Summary of requirements of the GDPR (for GP)

Doncaster LMC General Practice GDPR ready checklist

Demonstrate compliance with the GDPR

Template - data processing inventory

Template - data flow record (not a legal requirement, but helpful to track data)

Our CEO (Dr Dean Eggitt) can act as the DPO for GP Practices based in Doncaster.  

You will need to notify us if you decide to take us up on this offer.

Template - Bring Your Own Device (BYOD) Policy

Template - Cloud Computing Policy

Template - Storage and Transfer of Data Policy

Template - Clean Desk Policy

Template - Breach notice

Provide legally justifiable grounds for collecting and holding data about subjects

Publish and uphold the rights of your data subjects

Template - easy read fair process notice

Template - website cookie notice

Template - General Practice privacy notices (Zipped)

Care Quality Commission



Direct Care

National Screening Programme


Summary Care Record

NHS Digital

Public Health


Risk Stratification


Ensure an adequate level of protection for the data that you control and process

Template letter - reassurance of compliance with GDPR

Template - Data Processing Agreement from IAPP (PDF)

Template - Data Processing Addendum for International Transfer of Data


Can I charge for access to medical records? (Subject access request)


Under the new regulation you may not routinely charge patients for access to their medical records.  However, a charge may be levied where the request is seen to be manifestly unfounded or excessive.  If the request is manifestly unfounded or excessive you can charge reasonable administrative costs associated with processing the request.  You can charge a fee if a further copy of the same data is requested.

How long do I have to respond to a Subject Access Request?

One month from receipt of the request.  

This time can be extended by a further two months if the request is complex or you have received a number of requests from that same individual.  You must let the individual know within one month of their request as to why you require an extension.

Do I need a DPO?

If you are a GP practice, then yes.  Individual clinicians do not need a DPO but a DPO must be appointed and utilised where;


What are the special categories?

Special categories of personal data are those which by their very nature merit higher protection in terms of privacy as inadvertent release of this type of data could create more significant risks to a person’s rights and freedoms.  To be able to control or process data in a special category you must be able to demonstrate legal basis for processing as well as satisfy a second condition under article 9 of the regulation (  The special categories include:

When do I have to report a data breach?

A data breach should be notified to the supervisory authority (ICO) without undue delay and where possible within 72 hours of becoming aware of a breach.  This is in all cases where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

A personal data breach does not have to be reported if it is unlikely to result in risk to the rights and freedoms of natural persons.  Such instances might be where;

When do I have to use a data processing agreement?

Essentially, a data processing agreement is required whenever personal information is processed on your behalf by an individual or individuals outside of your organisation.  Examples include (but is not limited to);

The regulation states “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”


When must I undertake a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.  You must do a DPIA for processing that is likely to result in a high risk to individuals.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data.  

I don’t ask for information from patients on my website.  Is this an area I should be concerned about?


Although you might not explicitly request personal information via your website, it is possible that your website still collects cookies from those who visit your site.  Cookies are classed as personal data and so the rules regarding collection of personal data in the GDPR still apply.  You can check if your site collects cookies using the this online free tool  If your site collects cookies, you will need a GDPR compliant cookie pop up ( and will need to give details about this in your privacy policy.

Do I still need a Senior Information Risk Officer (SIRO)?

It remains good practice to have a senior executive within your organisation who is familiar with and takes ownership of your information risk policies and procedures.  However, having a SIRO is not a requirement of the GDPR.

Do I still need a Caldicott Guardian?


A Caldicott Guardian is a senior person within an NHS organisation whose role is to protect the confidentiality of patient and service user health and care information. There currently remains a statutory duty on NHS organisations to appoint and use a Caldicott Guardian although this may change in the future given the implementation of the GDPR.

Useful Links