This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

GDPR! : What is it and What Does it Mean For You?

GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
  • Practices must comply with subject access requests
  • Where we needs your consent to process data, this consent must be freely given, specific, informed and unambiguous
  • There are new, special protections for patient data
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach
  • Higher fines for data breaches – up to 20 million euros

What is consent?

Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.

Individuals also have the right to withdraw their consent at any time.

5 Things to Know about GDPR

General Data Protection Regulation (GDPR) guidance

This guidance from the national GDPR working group and IGA will help the NHS, social care and partner organisations prepare for EU General Data Protection Regulation (GDPR), when it begins in May 2018.

This policy and guidance is being developed by the national GDPR working group, chaired by NHS England, for publication by the Information Governance Alliance (IGA).Those with senior responsibility for Information Governance can use the guidance to learn how to comply with the GDPR. This includes Caldicott Guardians, operational IG leads and managers, plus all employees.

The guidance will help organisations to make the changes needed due to the EU General Data Protection Regulation, which will happen regardless of Brexit.

If you have any specific queries, please contact us and we will try and answer these as best possible. However, where it is not possible or the query best sits with another team or organisation we will let you know. We also recommend you contact the Information Commissioner’s Office(ICO) with enquiries.

Further information:

Contact the Information Commissioner’s Office (ICO) if you have an enquiry on GDPR.

When guidance is being published

The IGA is working hard with other partners to try and ensure material is published as quickly as possible. However, we do acknowledge the need to consider both the forthcoming Article 29 working party guidance and that by the ICO in reviewing and drafting our advice pieces. We will also review, where appropriate, published advice once the Data Protection Bill is approved as it may change the advice provided.

The list below gives an idea of the expected timeframe for publication. Please note this may change and details will be updated here.


March-May 2018

  • Privacy by design and default
  • Personal data breaches and notification
  • Profiling and risk stratification
  • GDPR overview
  • Primary care suite: optometry, pharmaceutical and dental
  • Transparency and subjects’ rights
  • Social care awareness guidance
  • Pseudonymisation

The IGA will continue to provide more information about how health and care organisations are affected and what you can do as it becomes available.

Watch this GDPR webinar

Please watch a GDPR webinar that was presented from Leeds in February 2017.

General guidance

For more general information about preparing for GDPR please contact the Information Commissioner’s Office.

GDPR in relation to research within GP practices

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. During the past few months there have been concerns that GDPR would have a significant impact on the way that we deliver healthcare research. However, as the detail of GDPR is becoming clearer it seems that there will be limited implications for research and the Health Research Authority (HRA) has started to issue guidance to support this position.

There have been some concerns that GPs will need to seek informed consent from patients to invite them to take part in research i.e. sending out study invite letters. We have received advice from the HRA that this is NOT the case:

"For GDPR purposes, contacting patients registered with you as a GP to invite them to take part in research comes within public interest, and meets the additional requirements of public interest for access to special category data as long as the studies have HRA Approval (including REC approval where relevant) and are undertaken in accordance with the policy framework. To meet transparency requirements, information should be provided – e.g. by letting people know about this use of their records when they register. Although exemptions can apply to subject rights for research it is not a blanket exemption and in this scenario it would be reasonable to allow patients to opt out of being contacted. I.e. using records to send out mailings about future research can be an opt out and does not require explicit consent."

The final detail of GDPR is to be set out in national legislation and the Data Protection Act 2018 is yet to pass through Parliament.

The CRN Primary Care Clinical Support Team will continue to provide you with the usual level of support to deliver research in your practice and your dedicated CRN Primary Care Research Associate / Research Nurse will be on hand to discuss any issues you may have.

General Data Protection Requirements

It's important that you explain to your patients how you will be using their personal data, and what their rights are under the law. NHS organisations and GP practices are expected to link to this statement from the HRA from their webpages.

In addition, GP practices are expected to publish information about the research projects they are involved in. Such records should include details of the sponsor, allowing participants to access further information. Separate guidance is provided by the HRA here about information to be published in relation to the roles of data protection officers, information governance officers and research governance managers.

Your organisational privacy notices for staff and patients should also ensure that research is mentioned. The BMA provide useful information of how to include research in privacy notices here.

In addition, GP practices encouraged to display posters, leaflets and notices on their websites and new patient forms informing patients that they practice is research active and where they can find out more information about what this means.

Data Protection Policy

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website