Briefing / The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. This new legislation applies to all organisations collecting and processing personal information. The NHS is made up of a large number of organisations processing both staff and patient data, and in many cases passing this data on to others. NHS organisations, and separately NHS charitable funds, must take action to ensure they are ready.

The GDPR provides an important update to existing data protection legislation, recognising today’s privacy challenges brought about by changes such as advanced technology and social media. It contains data protection principles and rights for individuals over their personal data.

The additional requirements of the GDPR are likely to propose an additional burden on NHS organisations, in the context of already strained resources. For the GDPR, it is essential that NHS bodies have a clear understanding of how data flows within, and outside of, their organisation and that arrangements are in place to ensure this meets the GDPR requirements.  As well as this the accountability principle, introduced by the GDPR, makes it essential that NHS organisations can also demonstrate what they are doing to be mitigate data protection risks.

This briefing aims to raise awareness of the high-level requirements of the new legislation for NHS organisations and to highlight the guidance and support available to ensure that appropriate arrangements are in place. It sets out the key changes within the GDPR and includes an appendix of the top ten actions for NHS organisations to consider. It will be of particular interest to audit committees.