Last reviewed 26 March 2018

What is the GDPR?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and replaces the current Data Protection Act 1998 (DPA).

Why do you need to take action?

Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.

What do you need to do as a social care provider?

  1. You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As a social care provider, you are a data controller (you are processing personal data) which means you must register with the ICO.

  2. Compile a “catalogue” of all the information that your provision holds and processes, often referred to as an Information Asset Register. This will include:

    • Is it personal or sensitive?

    • How is the information stored?

    • Is it shared or transported, and if so, how is this done?

    • Is the information included in a retention schedule?

    • How long are you keeping it for?

    Find a template Information Asset Register here which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example, admissions forms, care plans, medication forms, accident records, etc.

  3. You also need to document your data processing. Use our GDPR Personal Data Processing Record — see the Worked Example for how to complete this.

  4. Write a privacy notice. [This should include the following.

    • The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).

    • Who is collecting it and how (paper forms, electronic forms, etc)?

    • Why is it being collected?

    • How will the information be used?

    • Who will you share the data with (this will include healthcare providers and local authorities if there are safeguarding issues)?

    • Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?]

    Find a template privacy notice here .

  5. Update your data protection policy.

  6. Train your staff. Everyone working for you, including permanent staff, volunteers and work placement students all need to have completed GDPR awareness training and have a good understanding of your policies and procedures. Find a GDPR Staff Awareness Training Presentation here to fulfil your training needs.

GDPR checklist

Download this GDPR checklist to check and demonstrate your compliance with the GDPR.

Useful Q&As

What is the GDPR?

Other useful documents

The General Data Protection Regulation — feature article