General Data Protection Regulation

Posted by Katrina on 09/08/2017

Simplyhealth Data Protection Officer Rob Dixon explains how the forthcoming key changes to the data protection laws will affect you and your practice.

In May 2018 the law on data protection will change to a new European-wide General Data Protection Regulation (GDPR). While the majority of obligations will remain the same, there will be some amendments and some new aspects, such as changes to the information to be provided within the privacy policies when capturing an individual’s personal data.

The current Data Protection Act (DPA) within the UK is based on the European Data Protection Directive that was introduced over 20 years ago. Due to advances in technology and changes to the ways in which both individuals and corporates use and share information, a review of the Directive was undertaken and the GDPR was produced. As this piece of law will be a regulation, rather than a directive, it will be directly applicable across all member states in its entirety. The final content was agreed and a two year transition period began in 2016, to give organisations time to transition to the new and amended obligations, with the GDPR becoming law across the EU on 25th May 2018.

With the UK leaving the EU, there is a possibility that in the longer term the UK may adopt different data protection legislation. However, this will not happen before 25th May 2018 and I believe it’s highly unlikely as the UK will still want to trade with EU member states, in industries that deal with personal data, and having a different set of rules would carry a risk of the UK’s data protection laws not being considered adequate.

Whatever the long term approach is by the UK post Brexit, there is a need for companies that handle personal data to prepare for the GDPR coming into force on 25th May 20182. Simplyhealth are preparing for the GDPR by reviewing the changes internally and working through the 12 steps to compliance published by the Information Commissioner’s Once (ICO).Based on the ICO’s 12 steps, the following is a list of some of the key changes to consider when preparing for 25th May 2018.

Information held/proof of compliance

There is a requirement to maintain records of data held, processing activities carried out, the legal grounds on which the processing is carried out, who the data is shared with and the various retention periods. Carrying out an information audit will establish everything that is required and will also provide a reference point for the following steps on the transition plan.

Privacy notices

Privacy notices are required to inform individuals what will happen with their information after they have disclosed it. Under the GDPR there is an enhanced list of required information to be included within all privacy notices. The enhanced list includes informing the individuals of their rights, such as access to their data, and how long their data will be retained.

Individuals’ rights

There are some enhancements to the individual’s rights, such as the right to have data corrected or deleted, when there are no overriding grounds to keep it, and to data portability. This step would require a review of the processes for handling requests from individuals so that they can be updated and communicated where necessary.

Subject access requests

The rules for dealing with subject access requests will change under the GDPR. The £10 fee can no longer be applied and the deadline to disclose information will be a month, rather than the current 40 days. Any internal processes should be updated to reflect the new rules.

Legal basis for processing personal data

During the initial information audit, each of the various types of data processing carried out will be documented. Following this, the legal basis for carrying out each type of processing will need to be established and documented.

Mandatory breach notification

Where breaches are likely to result in a risk to the rights and freedoms of individuals, there is an obligation to notify the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it. In addition to this, if the data breach is likely to result in a high risk to the rights and freedoms of the individual, there is an obligation to notify the a_ected individuals also.

Data protection impact assessments

Where a new type of processing is intended, in particular using new technologies, that are likely to result in a high risk to the rights and freedoms of an individual, a Privacy Impact Assessment (PIA) is required. A PIA is a documented process for reviewing any potential privacy impacts to individuals, logging what controls will be in place to ensure the data will be handled correctly.


Where organisations operate internationally, the main data protection authority that the work will be governed by will need to be determined. This will be required where there are any current or proposed overseas customers or business.

Increase in the level of fines

Under the GDPR there is an increase in the maximum fine that can be issued following a breach, from £500K to 20M Euros or 4% of global turnover. It is not known what the average fine will be but as a result of the increase, and the introduction of mandatory breach reporting across all industries, there is a significant jump in the level of risk relating to Data Protection incidents.

Codes of practice

To help organisations prepare for the GDPR, the ICO and the Article 29 Working Party, consisting of all the Member States Information Commissioners, are producing new ‘codes of practice’ which will be published on their respective websites, along with other useful guidance.

For more information on planning for the regulatory changes, speak to your Consultant or call the Practice Support Team on 0800 587 2581.


1. Information Commissioner’s Office – Data Protection Reform Webpage

2. European Commission - Reform of EU Data Protection Rules Webpage

3. 12 steps to compliance published by the Information Commissioner’s Office (ICO)