The General Data Protection Regulation or GDPR is a European law that applies to industries who supply services to European citizens.  It came into force on the 25th May 2018 and is hoped to unify data protection and regulation across 28 member EU states.  The GDPR is in addition to current UK laws that govern the use of data.

Information held about persons for the use of healthcare is classed as a special category and as such becomes subject to specific protection due to its sensitive nature.

Demonstrate compliance with the GDPR

  • Register with the UK Information Commissioners Office (ICO).
  • Hold a data processing inventory.
  • Undertake Data Protection Impact Assessments (DPIA).
  • Appoint and utilise a Data Protection Officer (DPO).
  • Utilise organisation specific privacy policies.
  • Report breaches of data to the UK Information Commissioners Office (ICO) within 72 hours.



Provide legally justifiable grounds for collecting and holding data about subjects
  • Ensure that processing of data has a clear and transparent legal reason (Lawful Purpose).
  • Restrict use of data to ensure that it meets the specific purpose designed (Purpose Limitation).
  • Restrict collection of data to ensure that only that which is needed is collected.  (Data Minimisation).
  • Ensure data held about a subject is accurate.  (Accuracy).
  • Destroy data when it is no longer needed for its original purpose. (Storage Limitation).
  • Ensure that data loss does not occur and that systems are in place to minimise loss. (Integrity).
  • Ensure data is held and processed on a need to know basis.  (Confidentiality).



Publish and uphold the rights of your data subjects
  • Publish and provide access to easy read privacy notices (Fair Process Notices).
  • Provide free access to records you hold about subjects (subject access request).
  • Provide rectification to data you hold about subjects where the data is deemed inaccurate.
  • Provide erasure of data you hold about subjects where this is requested and appropriate.
  • Restrict processing of data when this is requested by a data subject.
  • Provide portable data where indicated.
  • Utilise explicit opt in policies and allow data subjects the right to object to processing of their data.



Ensure an adequate level of protection for the data that you control and process
  • Transparently publish instances and legal reasons where data is transferred internationally.
  • Ensure that processors of data are working within the requirements (or acceptable comparators) of the GDPR.
  • Hold data processing agreements (DPA or acceptable comparators) with partner organisations.
  • Demonstrate due diligence when working with partner organisations.

Frequently Asked Questions

Can I charge for access to medical records? (subject access request)
No.  Under the new regulation you may not routinely charge patients for access to their medical records.  However, a charge may be levied where the request is seen to be manifestly unfounded or excessive.  If the request is manifestly unfounded or excessive you can charge reasonable administrative costs associated with processing the request.  You can charge a fee if a further copy of the same data is requested.

What is the definition of “manifestly excessive or unfounded”?
Unfortunately, there is no current national definition for us to apply to the GDPR.  This means that each organisation will need to define and apply its own definition in a transparent manner and be prepared to be called to account for this.  Repeated requests for the same information might also be seen as excessive.

How long do I have to respond to a subject access request?
One month from receipt of the request.  
This time can be extended by a further two months if the request is complex or you have received a number of requests from that same individual.  You must let the individual know within one month of their request as to why you require an extension.

How should I respond to a subject access request?
The information provided to a data subject from their subject access request should usually be provided in the same format in which the request was made.  For example, if the patient requests information over the phone it may be suitable to give the information over the phone.  Similarly, if the request was made by email it may be suitable to give the information back in an email.  The data subject has the right to request the information in a format other than how the request was made.  Of course, in responding you should always consider the risks involved in relaying personal information and try to mitigate these risks.  Follow this link to see the Doncaster LMC guide to sending secure emails.

Do I need a DPO?
If you are a GP practice, then yes.  Individual clinicians do not need a DPO but a DPO must be appointed and utilised where;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; Or; the core activities of the controller or the processor consist of processing on a large scale of special categories.

What are the special categories?
Special categories of personal data are those which by their very nature merit higher protection in terms of privacy as inadvertent release of this type of data could create more significant risks to a person’s rights and freedoms.  To be able to control or process data in a special category you must be able to demonstrate legal basis for processing as well as satisfy a second condition under article 9 of the regulation (  The special categories include: health; race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); sex life; or sexual orientation.

When do I have to report a data breach?
A data breach should be notified to the supervisory authority (ICO) without undue delay and where possible within 72 hours of becoming aware of a breach.  This is in all cases where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. A personal data breach does not have to be reported if it is unlikely to result in risk to the rights and freedoms of natural persons.  Such instances might be where;

– the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

– the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

– it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

When do I have to use a data processing agreement?
Essentially, a data processing agreement is required whenever personal information is processed on your behalf by an individual or individuals outside of your organisation. Examples include (but is not limited to);
– Payroll administrators (where this function is outsourced)
– Telephone company (where voice recordings are held off site)
– Cloud storage companies
– Online form / survey companies
– Accountants
– Website developers of website domain hosts
The regulation states “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
When must I undertake a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.  You must do a DPIA for processing that is likely to result in a high risk to individuals.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data.  

I don’t ask for information from patients on my website.  Is this an area I should be concerned about?
Maybe.  Although you might not explicitly request personal information via your website, it is possible that your website still collects cookies from those who visit your site.  Cookies are classed as personal data and so the rules regarding collection of personal data in the GDPR still apply.  You can check if your site collects cookies using the this online free tool  If your site collects cookies, you will need a GDPR compliant cookie pop up ( and will need to give details about this in your privacy policy.

Do I still need a Senior Information Risk Officer (SIRO)?
It remains good practice to have a senior executive within your organisation who is familiar with and takes ownership of your information risk policies and procedures. However, having a SIRO or a similar individual is not a requirement of the GDPR.

Do I still need a Caldicott Guardian?
Yes.  A Caldicott Guardian is a senior person within an NHS organisation whose role is to protect the confidentiality of patient and service user health and care information. There currently remains a statutory duty on NHS organisations to appoint and use a Caldicott Guardian although this may change in the future given the implementation of the GDPR.

Is it ok to assume consent to use personal data, given that it’s obvious how it is going to be used?
No. The concept to remember is “privacy by design, and privacy be default”.  The default position should always be one of privacy.  Unless you have explicit consent or another legal purpose to use the personal data and you have clearly shared this reason with the data subject via a privacy notice (fair process notice), you should not use the data.

I have collected personal data for use for one reason but I now need to use it for a different purpose.  Is this ok?
It may be ok to use the data for a different purpose if the different purpose was made clear to the data subject at the outset.  It is not appropriate to collect data for one reason and then change the reason without explicit consent from the data subject.

Do I need a Data Processing Agreement with TPP / EMIS / Vision?
Yes. Each of these companies have developed their own Data Processing Agreements for you to consider and sign.  If you have not received one, please contact them directly to arrange for one to be sent to you.

Is it ok to record next of kin data for our employees?
Yes. This is required for instances of an emergency and so would be required to protect the vital interests of a data subject or natural person.  You will need to detail this in your privacy notices.