Office opening hours: 8.30am to 5.30pm Monday to Friday. Offices closed on Bank Holidays.
Home Menu Search

GDPR Headlines

BMA Guidance

To read the BMA’s latest guidance on Subject Access Requests (including fees), Data Protection Officers, FAQs and more go to: and click on ‘further information’.

BMA GDPR Privacy Notices

Template GDPR (PPNs) are available on the GDPR in the BMA resources section. The hubpage also contains information on the regulation and hosts a suite of resources and blogs to help guide members, including a new GDPR webinar to help practices prepare. Click here to download more information:

Principles of Data Sharing for GPs

In light of GDPR / DP 2018 we are aware that many practices are asked to review Data Sharing Agreements, to this end the following document provides practices with an updated guide reflecting current legislation (and we thank Londonwide LMCs for sharing this document):  Principles of Data Sharing for GPs

GDPR Templates

Please see below a number of policies relevant to the GDPR. You may wish to adapt/amend the documents for your own surgery, but you do need to make sure that it reflects the arrangements within your own organisation as they will inevitably vary from practice to practice. Our thanks to the Testvale Surgery and The Centre Practice for sharing their policies with us.

Data Map Audit

GDPR Privacy Notice v2 April 2018

GDPR Personal Data Breach Policy

Personal Data Breach Monitoring Template

Data Protection & Medical Confidentiality Policy

Access to Medical Records / Subject Access Request Policy

Employee Privacy Policy

What is the GDPR (General Data Protection Regulation)?

The GDPR is a regulation that became applicable on 25th May 2018. Its strengthens the protection of personal data. The UK is enacting a Data Protection Bill which enshrines the provisions of the GDPR into UK law and establishes continuity of the GDPR in the UK post Brexit. The Data Protection Act will be repealed at this time.

Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.

The GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.

Headline Requirements

The Information Governance Alliance (see: has published general guidance and some resources for primary care.

The British Medical Association has published guidance at:  

The information commissioners office, who regulate data protection law, have published a couple of check lists which may be helpful,

They also have GDPR specific webpages at:

And the GPC has advised the following:


This page appears in...

About this page...

Updated on Monday, 29 April 2019 5809 views