Supporting Caldicott Guardians across the UK


General Data Protection Regulation (GDPR)

The GDPR came into effect on 25th May 2018 and has been incorporated into the Data Protection Act (2018) which received Royal Assent on May 23rd, 2018. The new bill replaces the Data Protection Act (1998). Much of the original legislation is essentially unchanged, but there have been changes in practice and guidance over the years (for example 'privacy by design' and privacy impact assessments) which have been incorporated into the new legislation along with some new requirements, for example around transparency, consent and a 'right to be forgotten'.

General guidance on some implementation aspects has been provided by the EU Article 29 Working Party and the Information Commissioner's Office. Specific guidance for the health and social care sector has been developed by a national working party and the Information Governance Alliance: some of this has been released (see under Information Governance Alliance below). The remainder is expected to be released shortly.

In December 2018, the UK Government issued interim guidance on Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019.

The European Patient's Forum

A guide for patients and patients’ organisations.

Information Commissioner's Office (ICO)

Explains the provisions of the GDPR to help organisations comply with its requirements, intended for those who have day-to-day responsibility for data protection. Comprehensive and updated regularly.

Other guidance of particular relevance to health and social care

Information Governance Alliance (IGA)

Future guidance (awaiting approval or planned)

  • Privacy by design and default
  • Personal data breaches and notification
  • Profiling and risk stratification
  • GDPR overview
  • Primary care suite: optometry, pharmaceutical and dental
  • Transparency and subjects' rights
  • Social care awareness guidance
  • Pseudonymisation

Article 29 Working Party

The Article 29 Working party ceased to exist on 25th May 2018and has been replaced by the European Data Protection Board) which has endorsed the following guidance.



Health Research Authority

Medical Research Council

British Medical Association

Medical Defence Union

Understanding your data protection responsibilities

This page last updated: 18th December, 2018