GDPR – are you ready?

Keeping confidential information about staff and patients secure is a responsibility NHS organisations have taken seriously for a long time.

But the requirements on them are about to increase. From May 2018, organisations will need to comply with the General Data Protection Regulation (GDPR), an EU regulation.

This has similarities with the existing UK Data Protection Act, but does extend requirements in some areas. The obligation to provide information to data subjects has been enhanced. The need for data controllers to undertake due diligence on their data processers, including the mandatory terms to be included in the contracts with processors, is much more prescriptive. There is a need to ensure that data privacy is built into all activities requiring the use of personal data. Mandatory reporting of information breaches is now a requirement for all data controllers, with a maximum 72 hour time limit.

By the very nature of their work, NHS trusts process large quantities of the most sensitive types of personal data (‘special category’ data under the new terminology) and so are at greatest risk if such data is not protected or is misused. The maximum fines for data breaches will be increased significantly – the current limit is extended from £500,000 to €20,000,000 or 4% of global turnover. It is likely that subject access fees will be abolished so trusts must ensure that their records teams are able to deal with the increased number of requests, while at the same time coping with the shortfall in income from this process.

The new law means boards and senior management will need to make changes in processes and procedures, appoint people to new roles, and weigh up the impact on some of the organisation’s activities such as contracting.


Hempsons is running hour long sessions for boards which cover the crucial areas which board members need to be aware if to and ensure that their organisation is making the necessary changes.

In addition, Hempsons are also providing more in depth sessions targeted at those within the trusts with primary responsibility for implementing the GDPR within the organisation. These include:

  • common myths and misunderstandings about the changes
  • the new role of Data Protection Officer
  • the changes to the subject access regime
  • the effect on contracts
  • the increased regulatory powers
  • the new risks for the organisation

To book a GDPR session, or to have an informal discussion, please contact the authors of the article

NewsView all

Farewell to ET fees, but what next?

For the last four years, an employee wanting to take a case to an employment tribunal has had to pay a fee of up to £1,200. For many lower paid employees – or where relatively little money was at stake – this fee may have been a deterrent to starting action...

Continue reading