This site is intended for health professionals only

Preparing for GDPR – GP practice check list

26 April 2018

Share this article

GPC IT policy lead Dr Paul Cundy runs through a check list of actions for practices to prepare for the EU General Data Protection Regulation
With the EU’s General Data Protection Regulation (GDPR) due to come into force on 25 May, GPC IT policy lead Dr Paul Cundy runs through a check list of actions to help you get prepared.

  • Agree amongst the signatories to your NHS contract, usually the partner GPs (the organisation’s data controllers) who should be your (DPO). I recommend a partner, practice manager or Caldicott Guardian takes on the role, at least initially. If you are an NHS contract holding practice you MUST have a DPO. 
  • Find your DPO time, a desk and a workstation. Make sure your DPO is up to speed with guidance
  • Get your DPO to assist with: 
  • Ensuring that the practice contract holders are aware of their new responsibilities. 
  • Drawing up a plan to reach 100% compliance with GDPR within a reasonable date; six months – by 1 November 2018 – is a reasonable timeframe for busy practices.
  • Arrange meetings with partners, salaried doctors, nurses, practice managers and the rest of your staff to set out the broad changes of GDPR. Set up a program of GDPR training for all staff members.
  • Ensure that your CCG practice IT agreement is signed by a partner, or someone representing the practice and the CCG.
  • Review what data processing you do within your practice.
  • Review what data processing is done on your behalf by external processors, and what data they use to do this.
  • Check with your CCG what local data extractions your practice is involved in.
  • Create and publish any necessary privacy notices.
  • Create your data processing register.
  • Check with any other non-NHS bodies such as researchers or institutions that you have suitable contracts and consents in place.
  • Check that you are collecting consent for non-direct care communications with your patients.
  • Revise your subject access request handling arrangements to meet the new options and deadlines.
  • Revise your data breach detection and reporting arrangements.

Dr Paul Cundy is IT policy lead at the BMA GP Committee. You can access a series of his blogs setting out what GPs need to know about the GDPR via Dropbox here.
This article was first published on our sister publication Pulse.