Intended for healthcare professionals

Feature Briefing

How data protection changes will affect your practice

BMJ 2018; 361 doi: (Published 24 April 2018) Cite this as: BMJ 2018;361:k1764
  1. Matthew Limb, freelance journalist, London, UK
  1. limb{at}

Matthew Limb provides a quick guide to the new responsibilities for GPs and medical researchers after next month’s law change

What is the GDPR, why is it happening, and when?

The General Data Protection Regulation (GDPR) is a Europe-wide law that comes into force on 25 May 2018. It is part of a wider package of reform of data protection in the UK that replaces the Data Protection Act 1998. It applies to those responsible for controlling and processing personal data, including general practices and NHS trusts. The detailed application of the GDPR in the UK will be set out in a new data protection act, which parliament has yet to agree.

What is personal data?

Personal data is any information that can identify a living person—it can include name, NHS number, or a computer IP address. Personal data that reveal a person’s health are “special category” data with greater protection under the GDPR.

What are the key changes?

While the key principles of the original legislation remained unchanged, the new regulation strengthens the rights of individuals (“data subjects”) to request access to their personal data and tightens up data security and accountability. It will not be enough for NHS and other public bodies to comply—compliance must be “actively demonstrated.” There are new legal requirements to report data breaches that pose a risk to subjects’ rights, normally within 72 hours, and potentially higher financial penalties for breaches and non-compliance. Patients should be able to access their records free of charge in most cases.

Who is readying the NHS for these changes?

The Information Governance Alliance (IGA), hosted by NHS England, is issuing guidance for the health and social care sector. The alliance is a partnership that includes NHS Digital, the Department of Health and Social Care, and Public Health England. The Information Commissioner's Office and the National Data Guardian's Office are also represented on its board.

Who is responsible for putting them into practice?

General practices and NHS trusts are “data controllers” for the data …

View Full Text

Log in

Log in through your institution


* For online subscription