The General Data Protection Regulation (GDPR)

What you need to know

The GDPR and Data Protection Act 2018 replace the Data Protection Act 1998 with an updated and strengthened data protection framework, however, the key principles of the original Act remain unchanged. The most relevant changes for GPs in their role as data controllers are highlighted in the box below.

The principles in the guidance apply to doctors working in private practice or other NHS healthcare settings.

Key changes under GDPR

Compliance must be actively demonstrated, for example it will be necessary to:

  • keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and
  • have data protection policies and procedures in place.
  • More information is required in ‘privacy notices’ for patients.
  • A legal requirement to report certain data breaches.
  • Significantly increased financial penalties for breaches as well as non-compliance.
  • Practices will not be able to charge patients for access to medical records (save in exceptional circumstances).
  • Designation of Data Protection Officers

Please click the link below to view the policies or read below:

GPs as data controllers under the GDPR

Access the full guidance to be clear on your key responsibilities as a GP data controller under the GDPR: GPDR