This site is intended for health professionals only

Preparing for new data regulations – GP practice check list

With the EU’s General Data Protection Regulation (GDPR) due to come into force on 25 May, GPC IT policy lead Dr Paul Cundy runs through a check list of actions to help you get prepared.

  • Have someone from your practice read guidance on the GDPR from the BMA, Information Commissioner’s Office (ICO), the Information Government Alliance (IGA) and my blog series for GPs available via Dropbox.[1-3]
  • Agree who will be your data protection officer (DPO). I recommend a partner, practice manager or Caldicott Guardian takes on the role, at least initially. If you are an NHS contract holding practice you MUST have a DPO. 
    • Find your DPO time, a desk and a workstation. Make sure your DPO is up to speed with guidance
  • Get your DPO to assist with: 
    • Ensuring that the practice contract holders are aware of their new responsibilities. 
    • Drawing up a plan to reach 100% compliance with GDPR within a reasonable date; six months – by 1 November 2018 – is a reasonable timeframe for busy practices.
  • Arrange meetings with partners, salaried doctors, nurses, practice managers and the rest of your staff to set out the broad changes of GDPR. Set up a program of GDPR training for all staff members.
  • Ensure that your CCG practice IT agreement is signed by a partner, or someone representing the practice and the CCG.
  • Review what data processing you do within your practice.
  • Review what data processing is done on your behalf by external processors, and what data they use to do this.
  • Check with your CCG what local data extractions your practice is involved in.
  • Create and publish any necessary privacy notices.
  • Create your data processing register.
  • Check with any other non-NHS bodies such as researchers or institutions that you have suitable contracts and consents in place.
  • Check that you are collecting consent for non-direct care communications with your patients.
  • Revise your subject access request handling arrangements to meet the new options and deadlines.
  • Revise your data breach detection and reporting arrangements.

Dr Paul Cundy is IT policy lead at the BMA GP Committee. You can access a series of his blogs setting out what GPs need to know about the GDPR via Dropbox here.



1. Information Commissioner’s Office. Guide to the general data protection regulation

2. BMA. GPs as data controllers under the GDPR

3. NHS Digital. Information Governance Alliance. GDPR guidance.