This site is intended for health professionals only

At the heart of general practice since 1960

pulse june2020 80x101px
Read the latest issue online

GPs go forth

Preparing for new data regulations – GP practice check list

GPC IT policy lead Dr Paul Cundy runs through a check list of actions for practices to prepare for the EU General Data Protection Regulation

With the EU’s General Data Protection Regulation (GDPR) due to come into force on 25 May, GPC IT policy lead Dr Paul Cundy runs through a check list of actions to help you get prepared.

  • Have someone from your practice read guidance on the GDPR from the BMA, Information Commissioner’s Office (ICO), the Information Government Alliance (IGA) and my blog series for GPs available via Dropbox.[1-3]
  • Agree who will be your data protection officer (DPO). I recommend a partner, practice manager or Caldicott Guardian takes on the role, at least initially. If you are an NHS contract holding practice you MUST have a DPO. 
    • Find your DPO time, a desk and a workstation. Make sure your DPO is up to speed with guidance
  • Get your DPO to assist with: 
    • Ensuring that the practice contract holders are aware of their new responsibilities. 
    • Drawing up a plan to reach 100% compliance with GDPR within a reasonable date; six months – by 1 November 2018 – is a reasonable timeframe for busy practices.
  • Arrange meetings with partners, salaried doctors, nurses, practice managers and the rest of your staff to set out the broad changes of GDPR. Set up a program of GDPR training for all staff members.
  • Ensure that your CCG practice IT agreement is signed by a partner, or someone representing the practice and the CCG.
  • Review what data processing you do within your practice.
  • Review what data processing is done on your behalf by external processors, and what data they use to do this.
  • Check with your CCG what local data extractions your practice is involved in.
  • Create and publish any necessary privacy notices.
  • Create your data processing register.
  • Check with any other non-NHS bodies such as researchers or institutions that you have suitable contracts and consents in place.
  • Check that you are collecting consent for non-direct care communications with your patients.
  • Revise your subject access request handling arrangements to meet the new options and deadlines.
  • Revise your data breach detection and reporting arrangements.

Dr Paul Cundy is IT policy lead at the BMA GP Committee. You can access a series of his blogs setting out what GPs need to know about the GDPR via Dropbox here.



1. Information Commissioner’s Office. Guide to the general data protection regulation

2. BMA. GPs as data controllers under the GDPR

3. NHS Digital. Information Governance Alliance. GDPR guidance.




Rate this article  (4 average user rating)

Click to rate

  • 1 star out of 5
  • 2 stars out of 5
  • 3 stars out of 5
  • 4 stars out of 5
  • 5 stars out of 5

0 out of 5 stars

Readers' comments (6)

  • Another nail in the coffin of General Practice

    Unsuitable or offensive? Report this comment

  • Can we have this in English!!!

    A step by step guide would be very helpful as to what it is we need to do.

    Unsuitable or offensive? Report this comment

  • The above looks like a step by step guide!

    Unsuitable or offensive? Report this comment

  • Is it correct that insurance companies and patients can now request entire copies of notes and we cannot even charge for photocopying etc?
    Surely the LMC need to review this! Why are we responsible for funding their requests and financially penalised ? More lunacy!

    Unsuitable or offensive? Report this comment

  • Neil Bhatia

    @Fed up
    No - this would be a request under a different Act
    See Paul Cundy's other article

    Unsuitable or offensive? Report this comment

  • I now have a 6 inch high stack of photocopied notes to comb through every week. I have a session set aside for doing that. And the unintended consequences of that are ? Did anyone even THINK about that ? What's the professional thing to do for a GP ? Comply with the bullshit or pretend you've done it and see some patients ? No brainer frankly...

    Unsuitable or offensive? Report this comment

Have your say