GDPR for General Practice


The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. This will be supported by a new Data Protection Bill in due course which will bridge the gap, post Brexit.  Together, these laws will replace the existing Data Protection Act 1998 and will provide a strengthened data protection framework.

Helpfully, the BMA issued guidance on the obligations of GP practices as data controllers under the new regulations in March 2018. This has been supplemented by additional guidance issued by the Department of Health and Social Care (DHSC) last week.

We have included links to each of those guidance documents here and here. The guidance serves as a useful reminder of the steps that GP practices will need to take under the new Regulations.

It is essential that practices prepare for the GDPR to ensure compliance and the BMA have highlighted the most relevant changes for GP practices as follows:

  • Each practice must designate a Data Protection Officer (i.e. a person with expert knowledge of data protection law)
  • Compliance with the Regulations must be actively demonstrated
  • Detailed privacy notes for patients will be required
  • Practices will have a legal obligation to report certain data breaches
  • In most cases, practices will be unable to charge patients for access to their medical records

The new regulations will undoubtedly increase the administrative burden on GP practices and the BMA has suggested some ways in which this burden can be eased.

In respect of practices working at scale, individual GP data controllers may agree to act as joint data controllers. Any such arrangement should be documented in a contractual agreement between the practices and legal advice should be obtained in relation to this.

For many smaller practices, appointing a principal or employee within the practice as Data Protection Officer may be difficult. The BMA has highlighted that this person does not necessarily need to be employed or retained by the practice. The BMA suggests that this could be an external person with the necessary experience and expertise however, that person would need to be directly accountable to management. We would urge practices to take legal advice in relation to the appointment as Data Protection Officer of any person outside of their organisation.

Again for practices working at scale, it is suggested that a formal Data Protection Officer can be a shared resource between the practices. This would need to be documented in a contractual agreement between the practices and the designated person. Specific legal advice should be obtained in relation to this.

Whilst guidance produced by the BMA and DHSC is a very useful summary of the new Regulations, it is important that you do obtain legal advice in relation to your specific obligations or in relation to any part of the Regulations about which you are unsure.

Our healthcare team are able to provide detailed advice to your management team in relation to your obligations under the new Regulations. We can also provide support to those practices working at scale who wish to benefit from further collaboration in respect of certain GDPR duties.

Please do not hesitate to contact us to discuss this further.


Contact Us






    Sintons LLP would like to contact you about the services that we have to offer. We would like to keep you informed of any important legal updates that may affect you, your organisation or business, such as our newsletters, legal bulletins and details of relevant training courses or other events you may be interested in attending.

    Please confirm that you are happy for Sintons LLP to contact you by:



    For further details on how your data is used and stored click here to see our Privacy Policy.

    You can always change your mind by unsubscribing here.

    We will only use your information to handle your enquiry and won’t share it with any third parties without your permission.