Last updated:

General data protection regulation (GDPR)


The GDPR (General Data Protection Regulation) will apply from 25 May this year. It introduces wide-ranging and significant changes to UK data protection legislation.

The GDPR will increase the penalties for transgressions from a maximum of £500k under the current law to up to £17m or 4 per cent of turnover, whichever is higher. It strengthens existing requirements, and places greater emphasis on demonstrating compliance, as well as introducing a number of new concepts.

Due to the complex nature of the new regime for data protection laws, the BMA cannot offer comprehensive legal advice on GDPR, and this page should not be seen as such. However, it should help you navigate the legislation and point you in the right direction for guidance on the questions you may have. The page will be updated regularly as new guidance is published.


Watch our video

Our simple presentation helps to explain the key points of the new GDPR legislation. 


Who does it impact?

The GDPR applies to 'controllers' and 'processors' of data. Data controllers determine the purposes and means of processing personal data (for example GP practices). Data processors process data on behalf of the data controller (for example an IT system supplier).

The GDPR applies to personal data, which is any information relating to an identifiable person. There are also 'special categories' of personal data, such as health data, which are subject to greater protections.

Read our guidance on GPs as data controllers under the GDPR


What should I do now?

Ensure that your practice is compliant before the regulation comes into effect on 25 May 2018.

There are a number of resources to help you meet your obligations under GDPR, including detailed guidance, template privacy notices for GP practices, checklists, and FAQs. We've compiled a list of current, relevant resources (below) to get you started.


Further information