The General Data Protection Regulations (GDPR) come into force on May 25th this year. It may alter how you and your staff operate and hold certain data within your practice, including: names, photos, email addresses, bank details, posts on social networking websites, medical information and computer IP addresses.

We’ve collated the information that you need to know to protect your practice.

  • Make sure you monitor, save and know who you share data with, especially third parties and outside agencies.
  • Make sure you know what information is held and stored at your practice.
  • Ensure staff are fully GDPR trained in application of consent, and understand why their personal data, and that of patients, is required.
  • If necessary, appoint a Data Protection Officer to police the correct processing and management of personal data.
  • Devise clear opt-out options and records of patient consent to comply with GDPR’s high consent requirements.
  • You must maintain a business continuity plan that details how you would respond to potential data and cyber security attacks – and report any attacks or near misses that do occur, to CareCERT.

The BMA (British Medical Association) advises that practices privacy notes should include:

  • Contact details of the practice
  • Contact details of the practices Data Protection Officer
  • The reasons for processing data and the legal basis for processing data
  • Information about with whom the data is shared (e.g third parties)
  • Any rights of objection that are available
  • Patients have the right to access their record and to have inaccurate data corrected
  • Retention periods – how long you intend to hold their data for

GDPR is essentially about transparency with those whose data you hold and extending awareness of consent issues and cyber-attacks/security. With regard to the NHS and medical practices, a lot of these changes are in response to the infamous WannaCry attack. WannaCry infiltrated the systems of multiple organisations – including the NHS. The WannaCry ransomware encrypted and held files to ransom – demanding that the NHS paid to release their sensitive files. The NHS was forced to resort to pen and paper, as well turning away patients and cancelling appointments until the issue could be solved.


Essentially GDPR is designed to protect people and their data. If you have any further concerns about how GDPR will affect you, get in touch with the NHS Digital Information Governance Alliance or the BMA



Back to Main news