General Data Protection Regulations

The General Data Protection Regulations (GDPR) will come into force on 25 May 2018; The LMC and GPC are concerned about the implications for practices of the regulations.

The GPC has been speaking to NHS England about the ramifications of the regulations and we are now aware that their guidance will not be published until the end of February at the earliest. The GPC is in the process of finalising its own comprehensive guidance which will be ready during January.

In the meantime, an interim update is included below:

  • Practices should already have data protection policies and procedures in place; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware these policies are in place.
  • Practices should already know what personal data they hold, who can access them (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above, which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
  • Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection. 
  • Practices need to be able to demonstrate their compliance with the regulations upon request– at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO turns up at a practice, they need to be able to provide them with a document showing all of the above. 
  • Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR, and have lower thresholds (i.e. you can be fined more for a lesser offence). 
  • Practices will no longer be able to charge a fee for patients to access their own information. 
  • Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .


Published 13th January 2018