GDPR in General Practice

The General Data Protection Regulation (GDPR) is an EU Regulation which will be directly applicable in the UK on 25 May 2018.

It should be read alongside the forthcoming UK Data Protection Act 2018 (DPA 2018). The GDPR and the UK Data Protection Act 2018 will replace the existing Data Protection Act 1998.

The UK DPA 2018 has not yet been finalised; however, this interim guidance has been produced to help GP practices prepare for the GDPR. The guidance is subject to change when the DPA 2018 comes into force and may be updated.

Key changes under GDPR

  • Compliance must be actively demonstrated, for example it will be necessary to:
    • keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and
    • have data protection policies and procedures in place.
  • More information is required in ‘privacy notices’ for patients.
  • A legal requirement to report certain data breaches.
  • Significantly increased financial penalties for breaches as well as non-compliance.
  • Practices will not be able to charge patients for access to medical records (save in exceptional circumstances).
  • Designation of Data Protection Officers

Key themes

The guidance sets out the main themes of the legislation and what you need to do to ensure compliance, including:

  • What is a data controller?
  • Consent and other lawful bases for processing
  • Right to object
  • Data controller responsibilities for processing: privacy notices
  • Accountability: demonstrating compliance
  • Dealing with requests for confidential health data
  • Breach reporting
  • Subject access requests
  • Breach reporting
  • Additional concepts under GDPR

PCD Training Opportunity

Primary Care Direct are holding a full day GDPR training session for primary care during April and May, if you would like to book a place please contact us at or call 01482 649900.