Copyright Doncaster LMC ©   (Company Reg No 6775496) .  All rights reserved.

Terms & Conditions     Oops, I’ve Spotted a Mistake     Fair Process Notice      Our Policies and Procedures

General Data Protection Regulation (GDPR)

The General Data Protection Regulation or GDPR is a European law that applies to industries who supply services to European citizens.  It came into force on the 25th May 2018 and is hoped to unify data protection and regulation across 28 member EU states.  The GDPR is in addition to current UK laws that govern the use of data.

Information held about persons for the use of healthcare is classed as a special category and as such becomes subject to specific protection due its sensitive nature.

Top Tips!

The GDPR does not just apply to patient records but also applies to any form of data held by or processed by an organisation about EU citizens, irrespective of where that organisation is based in the world.

GDPR is much more widely applicable than just patient data.  

It also applies to (but is not limited to)

Employee records

Payroll activities

HMRC activities (“taxes”)

Website usage (website cookies, online forms, google analytics, facebook, twitter etc)

Audio and visual recording (recording telephone calls, training videos)

…and more!

Summary of requirements of the GDPR (for GP)

Doncaster LMC General Practice GDPR ready checklist

Demonstrate compliance with the GDPR

Template - data processing inventory

Template - data flow record (not a legal requirement, but helpful to track data)

Template - Data Protection Impact Assessment

The responsibility for provision of the DPO function to General Practice became the responsibility of CCGs from 1st April 2019.  NHS Doncaster CCG have commissioned the DPO function from 1st January 2020 from Primary Care Development Centre (

Template - Data Protection Policy

Template - Bring Your Own Device (BYOD) Policy

Template - Cloud Computing Policy v2

Template - Storage and Transfer of Data Policy v2

Template - Clean Desk Policy v2

Template - Breach notice

Template - Practice Data Breach Response Policy

Provide legally justifiable grounds for collecting and holding data about subjects

GDPR Legal Bases for processing easy read table

Publish and uphold the rights of your data subjects

Template - easy read fair process notice

Template - website cookie notice

Template - General Practice privacy notices (Zipped)

Care Quality Commission



Direct Care

National Screening Programme


Summary Care Record

NHS Digital

Public Health


Risk Stratification


Template - SAR / rectification form

Template - Practice SAR Protocol / Policy v2

Ensure an adequate level of protection for the data that you control and process

Template letter - reassurance of compliance with GDPR

Template - Data Processing Agreement from IAPP (PDF)

Template - Data Processing Addendum for International Transfer of Data


Can I charge for access to medical records? (subject access request)


Under the new regulation you may not routinely charge patients for access to their medical records.  However, a charge may be levied where the request is seen to be manifestly unfounded or excessive.  If the request is manifestly unfounded or excessive you can charge reasonable administrative costs associated with processing the request.  You can charge a fee if a further copy of the same data is requested.

What is the definition of “manifestly excessive or unfounded”?

Unfortunately, there is no current national definition for us to apply to the GDPR.  This means that each organisation will need to define and apply its own definition in a transparent manner and be prepared to be called to account for this.  

Repeated requests for the same information might also be seen as excessive.

How long do I have to respond to a subject access request?

One month from receipt of the request.  

This time can be extended by a further two months if the request is complex or you have received a number of requests from that same individual.  You must let the individual know within one month of their request as to why you require an extension.

How should I respond to a subject access request?

The information provided to a data subject from their subject access request should usually be provided in the same format in which the request was made.  For example, if the patient requests information over the phone it may be suitable to give the information over the phone.  Similarly, if the request was made by email it may be suitable to give the information back in an email.  The data subject has the right to request the information in a format other than how the request was made.  Of course, in responding you should always consider the risks involved in relaying personal information and try to mitigate these risks.  Follow this link to see the Doncaster LMC guide to sending secure emails.

Do I need a DPO?

If you are a GP practice, then yes.  Individual clinicians do not need a DPO but a DPO must be appointed and utilised where;


What are the special categories?

Special categories of personal data are those which by their very nature merit higher protection in terms of privacy as inadvertent release of this type of data could create more significant risks to a person’s rights and freedoms.  To be able to control or process data in a special category you must be able to demonstrate legal basis for processing as well as satisfy a second condition under article 9 of the regulation (  The special categories include:

When do I have to report a data breach?

A data breach should be notified to the supervisory authority (ICO) without undue delay and where possible within 72 hours of becoming aware of a breach.  This is in all cases where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

A personal data breach does not have to be reported if it is unlikely to result in risk to the rights and freedoms of natural persons.  Such instances might be where;

When do I have to use a data processing agreement?

Essentially, a data processing agreement is required whenever personal information is processed on your behalf by an individual or individuals outside of your organisation.  Examples include (but is not limited to);

The regulation states “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”


When must I undertake a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.  You must do a DPIA for processing that is likely to result in a high risk to individuals.  It is also good practice to do a DPIA for any other major project which requires the processing of personal data.  

I don’t ask for information from patients on my website.  Is this an area I should be concerned about?


Although you might not explicitly request personal information via your website, it is possible that your website still collects cookies from those who visit your site.  Cookies are classed as personal data and so the rules regarding collection of personal data in the GDPR still apply.  You can check if your site collects cookies using the this online free tool  If your site collects cookies, you will need a GDPR compliant cookie pop up ( and will need to give details about this in your privacy policy.

Do I still need a Senior Information Risk Officer (SIRO)?

It remains good practice to have a senior executive within your organisation who is familiar with and takes ownership of your information risk policies and procedures.  However, having a SIRO or a similar individual is not a requirement of the GDPR.

Do I still need a Caldicott Guardian?


A Caldicott Guardian is a senior person within an NHS organisation whose role is to protect the confidentiality of patient and service user health and care information. There currently remains a statutory duty on NHS organisations to appoint and use a Caldicott Guardian although this may change in the future given the implementation of the GDPR.

Is it ok to assume consent to use personal data, given that it’s obvious how it is going to be used?


The concept to remember is “privacy by design, and privacy be default”.  The default position should always be one of privacy.  Unless you have explicit consent or another legal purpose to use the personal data and you have clearly shared this reason with the data subject via a privacy notice (fair process notice), you should not use the data.

I have collected personal data for use for one reason but I now need to use it for a different purpose.  Is this ok?

It may be ok to use the data for a different purpose if the different purpose was made clear to the data subject at the outset.  It is not appropriate to collect data for one reason and then change the reason without explicit consent from the data subject.

Do I need a Data Processing Agreement with TPP / EMIS / Vision?


Each of these companies have developed their own Data Processing Agreements for you to consider and sign.  If you have not received one, please contact them directly to arrange for one to be sent to you.

Is it ok to record next of kin data for our employees?

This is required for instances of an emergency and so would be required to protect the vital interests of a data subject or natural person.  You will need to detail this in your privacy notices.

Useful Links and Downloads

Download - Dr Eggitt’s GDPR Powerpoint Presentation

Download - Template Privacy Poster

Download - Cyber Risk Poster

Download - GDPR (in full)