The EU General Data Protection Regulation (GDPR) is a new EU Regulation, which came into effect on 25 May 2018 and applies to all organisations that use personal data.
The GDPR, together with the (as yet, not finalised) Data Protection Act (DPA 2018), will replace and strengthen the existing data protection law.
Preparing for the GDPR should be a high priority for general practice, as meeting the requirements involves changes to processes.
Many of the main concepts and principles set out in the GDPR are the same as those in the current DPA 1998. Therefore, GP practices complying with current law will find that much of their approach to compliance will remain valid.
However, there are new elements, so practices will need to do some things differently and other things for the first time.
Interim guidance on how to comply with the GDPR is available from the Information Commissioners Office (ICO) and the NHS Digital Information Governance Alliance (IGA).
We recommend that you monitor these websites and/or sign up to newsletters, as guidance is subject to change once the DPA 2018 comes into effect.
The ICO has published a brief introductory document: Preparing for the GDPR – 12 steps to take now
The IGA has published this helpful document: The EU General Data Protection Regulation: the key points for GPs
In addition, please see the BMA’s website, which has an overview of the GDPR, together with the guide: ‘GPs as data controllers under GDPR’.