Introduction to GDPR

The General Data Protection Regulation was introduced into UK law on 25 May 2018. Along with a new Data Protection Bill, it replaces the Data Protection Act 1998 and together they tighten up existing protections for data subjects, including patients, and place additional obligations on practices to demonstrate compliance with the law. Here the head of the DDU, John Makin, advises on how to comply with the changes.

Most practices will already have taken steps to comply with the new data protection legislation, but the following list will still be useful for those wishing to check they are on track:

  • review the Information Commissioner Office's '12 steps to take now'
  • review policies regarding data protection
  • make all staff aware of the new regulations and individuals' rights
  • update notices explaining how the practice processes and stores data and complies with other fair processing requirements (for example, notices in practice leaflets or on websites)
  • make sure systems are in place to detect, investigate and report data breaches.

The advice in this article concentrates only on the role of practices as data controllers for patients' data. Practices will need to take advice separately on other data for which they are responsible, such as employee data.

NHS Digital's website also contains helpful information about implementation of the GDPR for all NHS bodies. It has been compiled by an NHS England working group and is updated regularly.

This page was correct at publication on 20/06/2018. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.