Hentons logo
banner image


4 min read
author image
By : Peter Mclntyre

GP practices –along with all other organisations – should now be well on with preparations for the General Data Protection Regulation (GDPR) which becomes active on 25th May, particularly in the light of the government’s decision to implement this into UK law ahead of time, “helping Britain prepare for a successful Brexit”, through a new Data Protection Bill, which has now been through the House of Lords and is due for consideration in Parliament imminently. The aim of the legislation is to ‘strengthen and unify data protection for all individuals within the EU’ – but leaving the EU does not mean we can opt out – especially in the light of the above.

Those practices already compliant with the Data Protection Act Practices should be on the right lines and have little to worry about. But the key is to understand what requires review or documentation, Full guidance can be found on the Information Commissioner’s Office (ICO) website here but for those with limited time, here are the 12 steps to preparation that you need to be aware of:

1. Raise awareness: GPs and Practice Managers need to be aware of the change and start assessing the impact on the practice. Compliance will require some changes and these will require thought, further advice and planning.

2. Document the information you hold: Under both the Data Protection Act and GDPR, patient data is classified as sensitive and compliance is more onerous. In addition, GP practices are employers and hold the personal data of staff. Look at:

  • The personal data you hold.
  • The source of the data.
  • Others you share that data with, for example outsourced payroll services.

The practice needs to demonstrate that its policies and procedures are effective and that they adequately protect data.

3. Communicating about data management and sharing with patients: Many practices already have a ‘Privacy Notice’ within their Patient Information Leaflet but this will need reviewing to ensure it includes, at the very least:

  • The practice’s ‘lawful basis’ for processing data (staff and patients) - see 6 below.
  • How long the practice retains data.
  • Details of the individual’s right to complain and to whom.

Check the full guidance for a comprehensive list of requirements.

4. Protecting the rights of individuals: Central to GDPR is that the individual’s rights are strengthened. This has resulted in an expanded list of rights, and practices must be able to demonstrate that all policies and procedures protect these rights. Please be aware that not all of these may be relevant in a GP practice, such as the right to erasure.

5. Handling Subject Access Requests (SARs): The new rules relating to this will definitely impact practices. Access should be provided ‘without delay’ and certainly within one month. The SAR fee of £10.00 is abolished.

6. Knowing the practice’s lawful basis for processing personal data: In the case of patients’ data, the basis is that ‘processing is necessary for the purposes of preventative or occupational medicine, assessing working capacity of an employee, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on basis of law or a contract with a health professional’.

7. Seeking, recording and managing consent to data processing: Again, GDPR will require practices to review their procedures to demonstrate compliance. General guidance is available here  but there is likely to be more detailed guidance relating to consent to processing for medical reasons to come

8. Children: There are new protections that mainly focus on internet-based services such as social networking, but this could possibly apply to online patient services. GDPR currently sets the age of consent at 16 but parents can have proxy access and the age of GDPR consent may change. Practices should bear this in mind.

9. Data breaches: The rules on how data breaches should be reported to the ICO and the individual themselves are being toughened up, with greatly increased fines. It is imperative that practices consider the guidance and ensure they have a robust policy for detecting, investigating and reporting such a data breach.

10. Privacy by Design: This approach is a core principle of GDPR and means, essentially that, for instance, when using data for a new purpose, an organisation should ensure that privacy compliance is integral from the start. This is unlikely to need immediate action by practices before May.

11. Appoint a Data Protection Officer: This is most likely to be the Practice Manager, and the responsibilities are similar to the Data Protection Act.

12. International: This relates to organisations processing data cross-border and so is unlikely to apply.

Debating the merits of data protection may seem removed from practice finances but with potential fines of up to 4% of turnover for breaching the regulations it’s worth getting it right, particularly as there will be an increased risk due to individuals having a greater ability to bring private claims against organisations for breaches. Your income could suffer.

For detailed insights

Operations Manager for Medical Department

Find out more

contact us

back to top