Getting ready for GDPR

On 25 May 2018, the General Data Protection Regulation will be introduced into UK law. There will also be a new Data Protection Act and both will replace the Data Protection Act 1998. They will tighten up existing protections for data subjects, including patients, and place additional obligations on practices to demonstrate compliance with the law. Here the MDU's Carol Chu advises on how to prepare for the changes.

Because the Data Protection Bill is still before parliament, we will need to provide further guidance when it becomes law, but at this stage you should:

  • review the Information Commissioner Office's '12 steps to take now'
  • review policies regarding data protection
  • make all staff aware of the new regulations and individuals' rights
  • update notices explaining how the practice processes and stores data and complies with other fair processing requirements (for example, practice leaflets or websites)
  • make sure systems are in place to detect, investigate and report data breaches.

The advice in this article concentrates only on the role of practices as data controllers for patients' data. Practices will need to take advice separately on other data for which they are responsible, such as employee data.

NHS Digital's website also contains helpful information about implementation of the GDPR for all NHS bodies. It has been compiled by an NHS England working group and is updated regularly.

This guidance was correct at publication 14/02/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Dr Carol Chu

by Dr Carol Chu MDU Medico-legal adviser

MB, ChB, MSc (Medical genetics), MD, MRCPI, MPhil (Medical Law) DLM

Carol qualified at Sheffield University. She attained her CCST in clinical genetics and spent 13 years as a consultant clinical geneticist, the last six of these also being the Head of Department, managing not only the clinical department; doctors, counsellors and administrative staff (including records) but also the three laboratories. She left the NHS to pursue a longstanding interest in medical ethics and medical law as a medicolegal adviser for the MDU in 2011. She was also chair of a research ethics committee for 10 years.