General Data Protection Regulation - Are you ready

General Data Protection Regulation - Are you ready?'s Tags

Tags related to this article

General Data Protection Regulation - Are you ready?

Published 1 May 2018

On 25 May 2018, the new General Data Protection Regulation will come into force. The GDPR builds on the existing data protection regime and places new obligations on NHS organisations.

The implementation date is fast approaching and it is important that you continue to take steps to ensure compliance. Most NHS bodies will be required to update existing documents, such as privacy notices and data protection impact assessments, in order to satisfy their obligations under the GDPR.

One of the key changes we've been advising NHS bodies on are the new requirements regarding the content of data processing agreements. It's important that you update any template contracts and review your existing contracts to ensure GPDR compliance. You may be aware that the Crown Commercial Service (CCS) recently published a Procurement Policy Note ("PPN") in relation to the GDPR. Although the PPN does not directly apply to NHS Trusts and CCGs, it helpfully includes some generic clauses that can be incorporated into contracts that will be in force after 25 May 2018. There is also a draft letter that can be sent to suppliers in order to notify them of changes you intend to make to relevant contracts. If you have not already started reviewing your contacts, we suggest you start as soon as possible to help ensure that suitable variations can be made to contracts ahead of the implementation deadline. It's likely that you have a significant number of existing contracts in place and so we suggest that you take a risk based approach to the contract review - for example, by identifying the contracts of highest value or those which involve the processing of a large amount of personal data and reviewing them first.

You may also be aware that your obligations in the event of a data breach have changed. One of the changes is that the GDPR now requires mandatory notification to the Information Commissioner without undue delay and in any event, within 72 hours of becoming aware of the breach. Historically, NHS organisations have recorded breaches through the IG toolkit and voluntarily notified the Information Commissioner, so this is not a huge departure from the current position. However, you should test and update your existing data breach processes to ensure that the 72 hour deadline can be met.

Please download our GDPR Handbook for Health and Social Care and if you need any further advice or guidance in relation to GDPR, please let us know. 


Sophie Devlin

Sophie Devlin


+44(0)191 404 4192

< Back to articles