General Data Protection Regulation (GDPR)

Download the LMC Privacy Notice Final Version.

GDPR Decision Tree

Please see our decision tree which is a simple diagram to illustrate whether or not you can charge for certain requests.

Some FAQs will follow as we have been collating these at our training events. If you have any further queries relating to GDPR then please do not hesitate to contact our GDPR lead Stephen Toulmin.

Top tips

All practices will need to adopt the new requirements for Data Protection under the GDPR and Data Protection Act 2018 (once finalised). 

It is important to understand and prepare for these changes now.

As a first step it would be important to have the current IG toolkit up to date and accurately completed. This tool kit is due to be renewed in April 2018. 

Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. 

Many questions remain about the precise implementation in Primary Care but the broad principles will apply.

Additional advice is becoming available and will help clarify some details.

The ICO have indicated that although GDPR becomes effective on 25 May 2018 due to the delay in getting the Data Protection Bill through parliament it is believed that a window of settling down may follow, although this cannot be guaranteed, so organisations are asked in the meantime to be prepared and do what they can reasonably. This cannot continue indefinitely but a number of the required tasks / issues will continue post 25 May 2018.

This page gives an overview and links that should help understand and prepare for the changes.

What is the GDPR?

The GDPR is a regulation that will become applicable from 25th May 2018. Its intention is to strengthen data protection for individuals across the European Union. The Data Protection Bill will become law when enacted as the Data Protection Act 2017 and will bring provisions of the GDPR in to UK law and establish continuity of the GDPR in the UK post Brexit. The Data Protection Act 1998 will be repealed.

Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.

The GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.

Headline Requirements

  • Mandatory appointment of a Data Protection Officer (DPO) for all public authorities including GPs (further clarifications expected)
  • An obligation to demonstrate compliance with the new law
  • Legal requirements for security breach notification
  • Removal of charges (in most cases) for providing copies of records to patients or staff who request them
  • Requirement to keep records of data processing activities
  • Data Protection Impact Assessments required for high risk processing (including the large-scale processing of health-related personal data)
  • Data protection issues must be addressed in all information processes
  • Specific requirements for transparency and fair processing
  • Tighter rules where consent is the basis for processing (N.B. Consent is not likely to be used as the main legal basis for data processing for Public Authorities)

Practices that are performing well in their information governance toolkit will have a good baseline to work form. However, organisations will be required to take specific actions and to be able to evidence that they have done so.

The Information Governance Alliance has published the guidance document GDPR Key Points for GPs and their webpage contains a useful checklist and general guidance with PDFs to download – PLEASE VISIT TO VIEW.  We also know that the BMA General Practitioners’ Committee is in the processing of drawing up practical resources for practices which will be published shortly, in addition to their guidance for GPs as Data Controllers under the GDPR available here.

In the meantime, the Information Commissioner’s Office has published a couple of checklists which may be helpful and a 12 Steps guide for general use.

And the GPC has advised the following:

  • Practices should already have data protection policies and procedures in place; under the GPDR they will need to be able to show that they are written down and accessible to staff and that staff are aware these policies are in place.
  • Practices should already know what personal data they hold, who can access them (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GPDR it will be a requirement to have an audit/record to state the above, which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
  • Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection. These will need updating for GDPR and templates are expected to be available for practices to use.
  • Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GPDR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO turns up at a practice, they need to be able to provide them with a document showing all of the above.
  • Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR, and have lower thresholds (i.e. you can be fined more for a lesser offence).
  • Practices will no longer be able to charge a fee for patients to access their own information.
  • Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here but this will be replaced in due course.

View the latest guidance from the BMA.

Download the following presentation GDPR for Practice Managers.

Thanks to both Wessex and Devon LMCs for their assistance.

GDPR Updates

The following link is a helpful collection of GDPR advice, privacy templates and blogs for GPs and practices to use, collated by Dr Paul Cundy from the GPC and there will be updates:

Dropbox – GDPR Information

Please note this is a dropbox link and so may not be accessible from inside NHS secured networks.

Please see the following new GDPR information sources which you may find useful on the BMA and ICO Health Sector pages. These pages highlight who GDPR impacts, what to do now and general guidance:


ICO Health Sector Guidance