Home Menu Search

GDPR Information pack

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. This regulation will be effective from the  25th May 2018.

Where GP’s are concerned this applies to personal and sensitive data they hold on patients.

Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.

Main Actions:

  • GP’s need to establish both a lawful basis and a special category condition to process special category data.  Your Lawful basis should include Consent, Contract, Legal Obligation, Vital Interests and Public Task.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • Your Privacy notice needs to be simple, clear and easy to understand. It must include the following: Contact details of Practice, what personal information you hold (medical data), how you plan to use that information and contact details of your DPO. (More compulsory requirements can be found on the LMC’s GDPR presentation.)
  • Employees and Children require a separate privacy policy each that are more simplified and straightforward.
  • Compulsory appointment of a Data Protection Officer (DPO)- A DPO needs to be trained and cannot be conflicted- The LMC are currently in conversation with Federations and CCG’s on how we can support practices in creating this role.
  • The DPO will need to conduct audits and monitor compliance- be aware CQC inspections will be looking at practice’s compliance to GDPR.
  • Data Protection Impact Assessments (DPIA) will be the duty of the DPO- see ICO guidance here.


  • Notify ICO within 72 hours if you are aware of any breach no matter how serious.
  • Notify the individual this affects directly.


  • Patients have rights of access.
  • You cannot provide access unless you have removed references to third parties.
  • Patients can request amendment, correction, erasure. However, patients have no absolute right to be forgotten

We are pleased to be able to circulate with practices the guidance that has been developed and approved by the BMA and Paul Cundy, GPC policy lead relating to GDPR. This information pack includes:

  • Example of privacy poster
  • Practice privacy notices
  • BMA regulation guidance
  • Subject access requests
  • Implementation checklist
  • FAQ

The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘practice privacy notices’.

The Information Commissioner’s Office suggests that a layered approach can be used to inform patients. A suggested approach is that practices should display a poster in the waiting room and online (so the information can be seen by those who do not attend the practice).

Privacy poster

The poster must provide basic information which explains to patients how their medical records are shared. An additional option is to use the practice’s telephone answering system to play a recorded message which reminds patients to look at the website if they want to learn more about how the practice handles medical records and what their rights are.

The poster should signpost where more the detailed PPNs can be found on the practice website and elsewhere, for example leaflets at reception and/or leaflets given to new patients or provided with prescriptions.

Suggested example of text for a poster

Practice privacy notices

The four template PPNs are a suggested way for practices to provide this more detailed information for patients. The PPNs cover four key themes: provision of direct care; medical research and clinical audit; legal requirements to share; and national screening programmes.

The documents are formatted so that the key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.

Due to the variation in data sharing arrangements across local regions and between the four nations of the UK it is not possible to provide ‘one size fits all’ templates. It is therefore essential that practices amend and add wording to the templates so that they are relevant to local arrangements and the country in which the practice is based. Practices can copy and paste the wording in the templates where appropriate. The PPNs should be regularly reviewed and kept up to date.

Additional Information

We have also included the following information, which you may find useful.

Dr Paul Cundy, GPC IT Policy Lead, has published a series of blogs on the General Data Protection Regulation. He says "they are a narrative in nature and attempt to cover the questions (he) sees surfacing on the various email lists and other media. Their status should be of informed opinion. Facts are referred to as facts and opinions clearly identified and (he) hopes justified". The links below are accessible here for those people unable to access dropbox with kind permission from Dr Cundy.

Blog 0: GDPR - where to start, in the beginning etc

Blog 1: GDPR for GPs from the IT lead for GPC

Blog 2: Background and scene setting

Blog 3: Data Protection Officers

Blog 4: Privacy notices (Revised 8th May 2018) 

Blog 5: Texts and emails

Blog 6: Articles 6 and 9 deciphered

Blog 7: Subject Access Requests

Blog 7a: Subject Access Requests Part 2 (8th May 2018)

Blog 7b: Subject Access Requests Part 2 (8th May 2018)

Blog 8: Things to do list, plan, timetable

Blog 9: Fines

Blog 10: Erasure and Portability - NOT!

Blog 11: I'm an LMC - what's in it for me ? (Revised 2nd May 2018)

Blog 13: Data Privacy Impact Assessment(s)

Blog 13a: DPIAs Part 2 (20th May 2018)

Blog 14: Data breaches

Blog 15: Documentation

Blog 16: Those you employ

Blog 17: Consent

Blog 18: The Myth Buster (15th May 2018)

Blog 19: Contract with Processors (20th May 2018) 

Blog 20: Things to do, Letter for CCG 

Blog 21: Helpful People

The EU GDPR: The Key points for GPs by the Information Governance Alliance

Guidelines on Consent under Regulation 2016/679 (wp259) [adopted but still to be finalised]

Guidelines on transparency under Regulation 2016/679

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Official Section 251 guidance Health Research Authority

DRAFT: Privacy Notice - Care Quality Commission

DRAFT: Privacy Notice - Direct Care - Emergencies

DRAFT: Privacy Notice - Direct Care - Routine care and referrals

DRAFT: Privacy Notice- Carers 

DRAFT: Privacy Notice - LMCs

DRAFT: Privacy Notice - National screening programs

DRAFT: Privacy Notice - Payments

DRAFT: Privacy Notice - NHS Digital

DRAFT: Privacy Notice - Public Health

DRAFT: Privacy Notice - Research

DRAFT: Privacy Notice - Commissioning, Planning, Risk Stratification, Patient Identification

DRAFT: Privacy Notice - Safeguarding

DRAFT: Privacy Notice- Recording Telephone Calls (20th May 2018)

Template: SARs log (15th May 2018)

The BMA has also updated their guidance on GDPR which can be found here. 

Data Protection Officer (DPO) Presentation

On the 15th August 2018, LLR LMC hosted a "Beginners Guide to being a DPO" 

The key learning points from the event were:

  • It is a legal requirement to have a DPO and register them with the ICO
  • The DPO can NOT be the person who handles data requests/management in your practice
  • The DPO can NOT and should NOT be asked to draw up legal contracts

This is the presentation used during the event for your information. 


Updated on Monday, 3 September 2018, 3756 views

Related guidance...

National Updates 2018

September 2018 Fund General Practice: Recently, LMC’s across England have received information from a GP regarding challenging the bar...

GP Data for Planning and Research (GPDPR) - Data provision notice (DPN)

NHS Digital (NHSD) has sent out a Data Provision Notice (DPN) to all practices notifying them of the rollout of GP Data for Planning and...

Updates from the LLR LMC (June)

Please find below updates on some key matters which we hope you find of interest. Contents: Medical Examiner General Practice Data for...

Preparing for a CQC inspection

I'm sharing here some tips I have learned over the years in preparing for a CQC inspection- both as a former practice manager, and from...

BMA Official Guidance: Income Declaration (published 10/11/21)

The BMA has just released its official guidance on income declaration. Please see below: Our guidance on income declaration is...

'Non-essential services and unfunded work and requests to practices'

What do patients receive on the NHS from General Practice? Defining 'needs' and 'wants.' As CCGs, the Sustainability and...

2018/19 Indemnity Settlement & the Clinical Negligence Scheme for General Practice (CNSGP)

Please see the information relating to the 2018/19 Indemnity settlement. GPC England and NHS England have agreed the amount to cover the...


Coding for flu and CQRS NHS England (Central and Midlands) have pulled information together to support practices in getting their GP...

Official GPC LMC Updates

GPC Update to LMCs - 16th June 2022 The recent GPC update has included topics on the following areas: Update on NHS Property Services...

Privacy policy

When you use our website Our Website uses Google Analytics to record some information about the way you use our website, to help us...