Last updated:

General data protection regulation (GDPR)


The GDPR (General Data Protection Regulation) will apply from 25 May this year. It introduces wide-ranging and significant changes to UK data protection legislation.

The GDPR will increase the penalties for transgressions from a maximum of £500k under the current law to up to £17m or 4 per cent of turnover, whichever is higher. It strengthens existing requirements, and places greater emphasis on demonstrating compliance, as well as introducing a number of new concepts.

Due to the complex nature of the new regime for data protection laws, the BMA cannot offer comprehensive legal advice on GDPR, and this page should not be seen as such. However, it should help you navigate the legislation and point you in the right direction for guidance on the questions you may have. The page will be updated regularly as new guidance is published.


Watch our video

Our simple presentation helps to explain the key points of the new GDPR legislation. 


Who does it impact?

The GDPR applies to 'controllers' and 'processors' of data. Data controllers determine the purposes and means of processing personal data (for example GP practices). Data processors process data on behalf of the data controller (for example an IT system supplier).

The GDPR applies to personal data, which is any information relating to an identifiable person. There are also 'special categories' of personal data, such as health data, which are subject to greater protections.


What should I do now?

Ensure that your practice is compliant before the regulation comes into effect on 25 May 2018.

There are a number of resources to help you meet your obligations under GDPR, including detailed guidance, template privacy notices for GP practices, checklists, and FAQs. We've compiled a list of current, relevant resources (below) to get you started.


Further information

  • GDPR resources

  • FAQs on GDPR

    Can solicitors use SARs to request data on behalf of a patient?

    Yes. A patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a GP will be able to lawfully decline such requests.

    Provided the solicitor has given the GP the patient’s written consent for the disclosure of the full medical record, the SAR from the solicitor should be treated in the same way as if it was made directly by the patient. 

    What if the purpose of the SAR from the solicitor is for a legal claim, for example, in relation to employment or insurance?

    The purpose of the SAR should not affect whether or not GPs should comply. In fact, there is no requirement under the GDPR for the patient (or solicitor acting on their behalf) to indicate the purpose of the SAR. 

    In short, SARs are ‘purpose-blind’. The fact that the purpose might be for a legal claim does not place a limit on or reduce a patients’ SAR rights, including when the request is from the patient’s solicitor.

    Is it right that solicitors can ask for and receive full medical records under SARs? 

    Yes. A SAR made by a solicitor who is acting for the patient is, in effect, a SAR from the patient themselves. In this way, the solicitor can be viewed as someone who is acting in the patient’s interests or as the ‘agent’ of the patient. 

    As long as the patient has given written consent for their solicitor to access the full medical record, practices should comply with the patient’s or their solicitor’s request. 

    Solicitors will usually need to see full medical records so that they can assess which parts are relevant to the patient’s case. Past medical histories are highly relevant in compensation or insurance claims.

    Is this the same for insurers?

    No. There is a clear distinction between a SAR from a solicitor who is acting in their interests of the patient and a SAR from an insurance company. 

    The BMA has existing advice about SARs and the insurance industry. The ICO has said that the use of SARs by insurance companies to obtain full medical records is an abuse of SAR rights. 

    Can we charge solicitors a fee for SARs?

    Under GDPR, SARS are generally free of charge. Only if the SAR is considered to be ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged. 

    We don’t yet know when the circumstances when the ICO might consider it appropriate to charge a reasonable fee – but, in the BMA’s view, these circumstances are likely to be limited.

    How do I know the difference between a SAR and a request under the Access to Medical Reports Act?

    The GDPR entitles individuals to obtain a copy of their personal data. If the request from the solicitor is for a copy of the patient’s medical record, or a copy of some elements of the medical record, it is a SAR.

    If the request is asking for a report to be written or it is asking for an interpretation of information within the record this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act framework (or, in Northern Ireland, the Access to Personal Files and Medical Reports (Northern Ireland) Order 1991) - for which fees can be charged.  

    It is legitimate for GPs to clarify the nature of the request from the solicitor. If the solicitor confirms that they are seeking a copy of the medical record then this should be treated as a SAR and complied with in the usual way. 

    Can GPs charge for the cost of postage?

    No, the process of complying with a SAR – including postage costs - is free of charge unless the request is ‘manifestly unfounded or excessive’ in which case a reasonable fee can be charged.

    Can GPs insist the solicitor come to the practice to collect the copies of the record (rather than posting)?

    Provided the patient has given written consent to the full medical record being accessed, the GDPR does not prevent a solicitor from attending a practice in order to make a copy of the medical record.

    The practice must ensure that prior to the solicitor being granted access the record is reviewed to ensure that third party information and information which might cause serious harm to the patient or another individual is removed or redacted. (See the BMA’s guidance on Access to health records for the full list of information which must not be disclosed – para 4.9).

    The practice would also need to be able to offer appropriate facilities where the viewing could take place without undue risks to confidentiality.

    Practices cannot, however, insist that solicitors attend in person to take copies. A solicitor’s attendance is an appropriate option for providing access to the record if this is agreeable to both the practice and the solicitor.

    Can solicitors be asked to come to the practice to take photos of the records (with appropriate supervision?) If so, does redaction still need to occur or can the solicitor see the whole record without any redaction?

    The GDPR does not prevent solicitors taking photos of the medical record as a method for satisfying a SAR, provided this is with patient’s consent and the process is compliant with the advice in the above FAQ.