Last reviewed 10 May 2018

What is the GDPR?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and replaces the current Data Protection Act 1998 (DPA).

Why do you need to take action?

Under the Data Protection Act 1998, organisations were thought to be compliant until there was a data breach. Under the GDPR this is no longer the case; you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.

What do you need to do as a primary care provider?

  1. You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As a primary care provider, you are a data controller (you are processing personal data) which means you must register with the ICO.

  2. Compile a “catalogue” of all the information that your practice holds and processes, often referred to as an Information Asset Register. This should include:

    • Is it personal or sensitive?

    • How is the information stored?

    • Is it shared or transported, and if so, how is this done?

    • Is the information included in a retention schedule?

    • How long are you keeping it for?

    Find a template Information Asset Register here which you can download and fill in for your practice. Each set of boxes represents a different type of “asset”; for example, registration forms, medical records, accident records etc.

  3. You also need to document your data processing. For each process, you need to have a lawful basis for processing and this must be documented. Find out the six lawful bases for processing in a Question and Answer.

    The ICO has developed a free downloadable excel spreadsheet to record all your data processing (includes an examples tab).

  4. Write a privacy notice. This should include the following:

    • The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).

    • Who is collecting it and how (paper forms, electronic forms,, etc)?

    • Why is it being collected?

    • How will the information be used?

    • Who will you share the data with (this will include other healthcare providers or local authorities if there are safeguarding issues)?

    • Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?

    Find a template privacy notice here.

  5. Update your data protection policy. Find a template GDPR data protection policy here, which you can download and customise for your practice.

  6. Train your staff. Everyone working for you, including permanent staff, volunteers and work placement students all need to have completed GDPR awareness training and have a good understanding of your policies and procedures. Find a GDPR Awareness Staff Training Presentation here to fulfil your training needs.

  7. Have a process in place for how to handle a data protection breach, including how to report and record it. Find a breach reporting template here and a record of data breach form here .

GDPR checklist:

Download this GDPR Checklist to check and demonstrate your compliance with the GDPR.