This regulation brings a number of new data protection requirements for practices.

The GDPR, or General Data Protection Regulation, is a piece of European legislation which replaced the Data Protection Act (DPA) 1998 on 25 May 2018. The new Data Protection Act 2018 also came into force at the same time. The purpose of the new DPA is to apply the GDPR in the UK. The underlying data protection principles have not changed significantly from those of the DPA – but there is the new principle of ‘accountability’. The GDPR also requires organisations to adopt the philosophy of ‘data protection by design and default’. This means that the organisation must be able to demonstrate compliance with the data protection principles. The principles are the backbone of the regulation.

The risk team have identified the following key tools from our resources to help you work through this area of risk and ensure compliance:


  • Checklist: GDPR. This helps practice managers, GPs and GDPs understand their duties and responsibilities under the GDPR. It contains links to practical guidance sheets which are also listed below.
  • Guidance sheet: GDPR Breach Notifications. What constitutes a data breach under the GDPR and when do you have to notify the Information Commissioner's Office? When do individuals need to be notified? This guidance sheet offers practical advice on this key GDPR area.
  • Guidance sheet: GDPR Subject Access Requests. Find out more about subject access requests and enhanced data subject rights with this handy guidance sheet.
  • Guidance sheet: GDPR Lawful basis for processing. The GDPR requires a lawful basis for the processing of personal data. This guidance sheet explains the various bases for legal processing of sensitive and non-sensitive data with a particular emphasis on informed consent and offers practical advice.
  • Guidance sheet: GDPR Data Protection Impact Assessments. PIAs are useful tools to help practices consider and address the privacy risks inherent in processing the data they hold. The GDPR requires a PIA to be carried out before implementation of a new system or process for processing data. This guidance sheet offers practical step-by-step advice.
  • Guidance sheet: GDPR Privacy Notices. These are effectively compulsory under the GDPR. This guidance sheet explains why you need a privacy notice, what they are for and how they should be composed.
  • Webinar: Watch our training webinar GDPR an overview.
  • Article: Protecting employee data. Much of the focus in primary care thus far has been on the changes applying to patient records, but data controllers must be aware that the new regulation also applies to the information held about employees. Employment adviser Liz Symon looks at what the GDPR means for the way employee data is processed.
  • Online course: Managing data security breaches
  • Online course: An introduction to Privacy Notices
  • Online course: Managing subject access requests
  • On-demand webinar: GDPR an overview

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Related Content


Coroner's inquests

Dilemma: Disputed consent in a minor

For registration, or any login issues, please visit our login page.