Last updated:

General data protection regulation (GDPR)

The GDPR (General Data Protection Regulation) will apply from 25 May this year. It introduces wide-ranging and significant changes to UK data protection legislation. The GDPR will increase the penalties for transgressions from a maximum of £500k under the current law to up to £17m or 4 per cent of turnover, whichever is higher. It strengthens existing requirements, and places greater emphasis on demonstrating compliance, as well as introducing a number of new concepts.

Due to the complex nature of the new regime for data protection laws, the BMA cannot offer comprehensive legal advice on GDPR, and this page should not be seen as such. However, it should help you navigate the legislation and point you in the right direction for guidance on the questions you may have. The page will be updated regularly as new guidance is published.


Who does it impact?

The GDPR applies to ‘controllers’ and ‘processors’ of data. Data controllers determine the purposes and means of processing personal data (for example GP practices). Data processors process data on behalf of the data controller (for example an IT system supplier). The GDPR applies to personal data, which is any information relating to an identifiable person. There are also 'special categories' of personal data, such as health data, which are subject to greater protections.


Am I a data controller?

The term 'processing' essentially covers anything that is done to, or with, personal data - including simply holding, recording or retaining data.

A controller determines the purposes and means of processing personal data. If you decide the purpose for which you are collecting and processing personal data, you are a data controller.

A processor acts under the instructions of a data controller.

All data controllers will need to take steps to ensure their data protection compliance. For GP practices, the key changes include maintaining a record of their data processing activities, and providing more information for patients in the form of privacy notices.

Read our guidance on GPs as data controllers under the GDPR


What should I do now?

Ensure that your practice is compliant before the regulation comes into effect on 25 May 2018.

There are a number of resources for data controllers and data processers in the health industry, including detailed guidance, checklists, and FAQs. We've compiled a list of current, relevent resources (below) to get you started.


Further information