General Data Protection Regulation (GDPR)
The GDPR comes into effect on 25th May 2018 and is being incorporated into a new Data Protection Bill which is presently (Jan 2018) going through Parliament. The new bill will replace the Data Protection Act (1998). Much of the original legislation is essentially unchanged, but there have been changes in practice and guidance over the years (for example 'privacy by design' and privacy impact assessments) which are being incorporated into the new legislation along with some new requirements, for example around transparency, consent and a 'right to be forgotten'.
General guidance on some implementation aspects has emerged from the EU Article 29 Working Party and the Information Commissioner's Office. Specific guidance for the health and social care sector has been developed by a national working party and the Information Governance Alliance: some of this has been released (see under Information Governance Alliance below); the remainder is expected to be released shortly.
The European Patient's Forum
A guide for patients and patients’ organisations.
Information Commissioner's Office (ICO)
Explains the provisions of the GDPR to help organisations comply with its requirements, intended for those who have day-to-day responsibility for data protection. Comprehensive and updated regularly.
Other guidance of particular relevance to health and social care
- Lawful basis for processing
- Legal obligation
- Vital interests
- Special category data
- Data protection impact assessments
Information Governance Alliance (IGA)
- GDPR: What's new guidance
- GDPR: Implementation checklist
- GDPR: Guidance on accountability and organisational priorities
- GDPR: Guidance on the Data Protection Officer
- GDPR: Guidance on consent
- GDPR: Guidance on lawful processing
CEO briefing highlighting what health organisations and arms' length bodies need to consider to prepare for the EU General Data Protection Regulation (GDPR) which will apply from 25th May 2018.
- Frequently asked questions Undated (but "updated regularly")
Future guidance (awaiting approval or planned)
- Transparency and subjects' rights
- Social care awareness guidance
- Privacy by design and default
- Personal data breaches and notification
- Profiling and risk stratification
- GP Practice/primary care suite
Article 29 Working Party
- Data Protection Officers
- The right to data "portability"
- Personal data breach notification
- Automated individual decision-making and profiling
- Guidelines on Data Protection Impact Assessment (DPIA)
Adopted guidelines for which consultation is closed, but still to be finalized
Health Research Authority
- Data protection changes in 2018: what does that mean for research?
- Legal basis
- Data subjects' rights
Medical Research Council
- GDPR – Preparations for implementation
- GDPR – Preparations for implementation: Guidance note 2
- GDPR – Preparations for implementation: Guidance note 3
British Medical Association
This page last updated: 15th March, 2018