2 Min Read

A guide to: General Data Protection Regulation in Health and Social Care

By Anne Crofts and Sophie Devlin


Published 21 November 2016


This General Data Protection Regulation manual is designed to be your guide to the GDPR in health.

I never thought that I would look back on the Data Protection Act with fondness. Over time we have got to know its ways and how to navigate its maze of provisions. But all good things must come to an end. On 4 May 2016 the General Data Protection Regulation – Regulation (EU) 2016/679 or the GDPR - was passed. We now have a new maze to negotiate.

This manual is designed to be your guide: to help you walk the maze with a firmer sense of direction and purpose, to side-step some of the pitfalls and avoid the wrong turns.

All EU member states will need to comply with the GDPR by 25 May 2018. It is likely that we will still be a member state by then. It is highly likely that even after Brexit the requirements of the GDPR will apply in the UK. The countdown to compliance has begun.

You will want to get it right. The maximum fine for non-compliance has risen from £500,000 to E20,000,000 – about £17 million at today’s exchange rates. It is, however, early days. We await a government commitment to implementing the GDPR in the UK, as well as European and ICO guidance. We will keep you updated as the situation evolves.

This manual gives an overview of the likely impact of the GDPR in health and social care. We have looked at each of the main provisions and compared them to current law, ICO guidance and common practice. We provide advice on the practical steps that should taken to prepare and what to prioritise given the uncertainties.

Much of the GDPR will be familiar territory. It builds on old concepts (personal data, data controller etc.), enhances existing rights and obligations and in places makes best practice a legal requirement.

But I’m afraid there is still a lot to be done. There is a new requirement on organisations to demonstrate compliance, which means there will be a lot of paperwork. There are new rights for data subjects too, which are easier to enforce. Contracts and data sharing protocols will need to be reviewed in light of the changes.