Introduction to GDPR

The General Data Protection Regulation was introduced into UK law on 25 May 2018. Along with a new Data Protection Bill, it replaces the Data Protection Act 1998 and together they tighten up existing protections for data subjects, including patients, and place additional obligations on practices to demonstrate compliance with the law. Here the head of the DDU, John Makin, advises on how to comply with the changes.

Most practices will already have taken steps to comply with the new data protection legislation, but the following list will still be useful for those wishing to check they are on track:

  • review the Information Commissioner Office's '12 steps to take now'
  • review policies regarding data protection
  • make all staff aware of the new regulations and individuals' rights
  • update notices explaining how the practice processes and stores data and complies with other fair processing requirements (for example, notices in practice leaflets or on websites)
  • make sure systems are in place to detect, investigate and report data breaches.

The advice in this article concentrates only on the role of practices as data controllers for patients' data. Practices will need to take advice separately on other data for which they are responsible, such as employee data.

NHS Digital's website also contains helpful information about implementation of the GDPR for all NHS bodies. It has been compiled by an NHS England working group and is updated regularly.

This guidance was correct at publication 20/06/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


You may also be interested in


GDPR: Data subjects' rights

GDPR makes data subjects' rights much more explicit. Here we explain your obligations.

Read more

Data Protection Bill 2017-19

The Data Protection Bill replaces the Data Protection Act 1998 and incorporates the requirements of GDPR with certain conditions and exceptions.

Read more

GDPR: Data breaches

An unaddressed data breach is likely to have a significant effect on individuals, and can result in heavy fines for those responsible.

Read more