Rights of the data subjects
Lawful processing
Data controllers and processors
Data subject access requests
Data Protection Impact Assessment



From May 25, 2018, the General Data Protection Regulation (GDPR) will significantly change the way healthcare organisations use and store all their personal information. The changes for data protection will be the biggest across Europe since 1995 and the UK since the Data Protection Act (DPA) in 1998. Most data security professionals agree it’s a radical change and long overdue.

Keeping confidential information about staff and patients secure is a responsibility all healthcare providers have taken seriously for years. Indeed, the DPA underpins much of the GDPR, but with a crucial difference; while organisations were encouraged to comply with the DPA in case of data breaches (and many were fined if they were found to be negligent following a breach), now all organisations that hold, control or process personal data, including health and social care organisations, are legally bound to comply. So while the DPA encouraged best practice, the GDPR enforces compliance.

This difference has huge implications for big and small healthcare organisations that will now have to grapple with the idea of creating GDPR awareness across their entire staffing regime, out into third sector partnerships and beyond.

If the Information Commissioner’s Office (ICO) is called in to investigate an organisation for any number of reasons, that organisation will have to show the measures it’s taken to ensure compliance. If a data breach occurs and a trust does not follow the necessary compliance framework, the ICO will be obliged to issue a fine.

The level of the fine will depend on the type and scale of the breach and on the extent to which an organisation can show that it has attempted to adhere to the GDPR requirements or has sought to correct any identified lapse.

Under the GDPR, the maximum for a lower, tier 2 fine is £8 million or 2% of the organisation’s annual global turnover, whichever is higher. Or, if the organisation has shown disregard for GDPR, a higher tier could take fines up to £18 million or 4% of annual turnover, whichever is higher.

Generally, breaches of controller or processor obligations, or failure to notify the ICO of a breach within 72 hours could be subject to a fine within the lower tier, while breaches of data subjects’ rights and freedoms will result in the higher level of fine.

Healthcare organisations will not be exempt from such fines if they’re found to be negligent around storing and processing data.

The ICO has repeatedly said it will not deliberately scapegoat organisations for non-compliance and fines will be dissuasive rather financially crippling. Nevertheless, the ICO has also said that negligence will be met with the full force of the law. In essence, don’t panic; but do panic if you fail to take the GDPR seriously.

It’s not just the slap on the wrist that worries many managers and directors. It will also involve reputational damage that could be far worse than the fine itself, particularly as most organisations are part of a larger framework of healthcare providers. If any part of this framework is found to be failing in its duties to comply with the regulation, the knock-on effect will be felt by everyone.

So the GDPR is to be taken very seriously.


Rights of the data subjects

The starting point of the GDPR involves the fundamental rights of data subjects – these data subjects are defined as natural, living persons; the GDPR does not apply to people who have died.

Underpinning the GDPR (as with the DPA), organisations have to comply with the key principles of data protection. Data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for a specified, explicit and legitimate purpose
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary kept up to date
  • Kept in a way which identifies the individual only for as long as is necessary
  • Processed with appropriate security using technical and/or organisational measures.

These principles are linked to the rights of individuals (Box 1) in the form of an updated bill of human rights that helps to form the core of the GDPR.


Lawful processing

Importantly for organisations, the lawful bases for processing is set out in Article 6 of the GDPR. At least one of these must apply whenever an organisation processes personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party. Unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests (not applicable for public authorities processing data to perform an official tasks).



As with the DPA, processing still has to be carried out with an individual’s consent, but the standard for consent is now higher.

So, under the GDPR the requirements for valid consent are stricter and – as with many areas of health and social care – consent means offering people choice and control over how their data is used.

The GDPR requires that consent:

  • Must be freely given, informed, unambiguous and involve a clear affirmative action
  • Should be separate from other terms and conditions. It bans pre-ticked opt-in boxes, for example
  • It requires granular consent for distinct processing operations
  • Data controllers must keep clear records to demonstrate consent
  • In the case of ‘special categories of data’ (currently sensitive data), the consent must be explicit.

As part of the regulation, sensitive data is now defined as ‘special categories’ of personal data, including aspects such as race, politics, religious beliefs, trade union membership and – importantly for healthcare providers – physical or mental health. The updated areas covered include a person’s internet IP address and biometric data.

The GDPR also gives the right to withdraw consent. The controller must tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.


Data controllers and processors

Data controllers are typically organisations overseeing health and social care such as the NHS, local social care services or the third sector. The controller – the organisation that determines the means and purposes of processing – has to take appropriate measures to ensure that the data is protected. In particular, they have to ensure the data subject is aware of what is going to be done with their data and that information has to be provided in a precise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important on websites or portals that capture personal data and privacy documents will need to be updated. Furthermore, website consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service. Pre-ticked opt-in boxes will no longer be valid under the GDPR.

Meanwhile, data processors can be other organisations or individual contractors that are retained to carry out care in the community and will need to be operating under specific contracts written up by the controllers. To complicate matters still further – because of the vast amounts of data that health and social care collect – an organisation can be both a controller and processor depending on how that data is being stored, processed and used.

(Note: The appointment of joint data controllers is also a possibility. This can apply where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.)

It is crucial for controllers to understand that they need to ensure processors are processing in compliance with their explicit instructions. Furthermore, processors are now legally defined in law for the first time and are not permitted to process data except under the contractual obligations of the data controller.

This complex network of controllers and processors will need to ensure compliance under the GDPR across the piece.

It is not unusual for healthcare organisations to have multiple relationships with third party data processors and for each of those third parties to be doing different things with the data. Inevitably, this could be a problem for healthcare practitioners, for example, who are working with vulnerable people at high risk and who are in contact with different agencies. These patients don’t necessarily understand what is happening to them and the GDPR makes provision for processing data without the consent of a data subject (refer back to lawful processing).

Another factor involving data is that of staff. Often staff information is processed in the contracts of employment bill in a clause that states: ‘you consent to the processing of your data for the purposes of this employment’. Under the GDPR the balance of power between employer and employee is such that the employee can be considered to have been forced to agree to it. That means effectively the contract of employment needs to be replaced or updated so there are alternate lawful bases in place.


Data subject access requests

A key area for meeting compliance obligations is ensuring a proper understanding of how to deal with the exercise of data subjects’ rights. A proper process needs to be in place when an organisation receives a data subject access request (DSAR).

If a person requests a data audit trail, this has to be provided within 30 days, rather than the previous 40 days. There is now no charge and if disgruntled ex-employees or unhappy members of the public fail to receive that audit trail they can complain to the ICO, which is obliged to start digging into an organisation’s compliance framework. This is something most organisations will not want to happen, even if they are complying with the GDPR.


Data Protection Impact Assessment

Ultimately, for all organisations the main task is to understand that data protection should be a cornerstone of all policies and procedures and underpin updated methods of accountability and governance.

A way to overcome any accusations of negligence arising from a breach or a DSAR is to carry out a Data Protection Impact Assessment (DPIA), which is essentially a risk assessment report that highlights areas of high risk to individuals and will be the compliance document of all organisations when it comes to meeting the GDPR requirements.       

An organisation is advised to develop competence around a DPIA, which is not necessarily new but is now a legal requirement. Also, the DPIA should not be a one-off exercise; it should be carried out for all new systems, and for legacy systems where changes are occurring; and processes may need to be constantly re-evaluated.

If an organisation is breached but can demonstrate that it carried out a DPIA (identifying potential risks and closing them down) all of that will count in mitigation towards demonstrating that any fines that should be levied should be towards the bottom end. The argument towards proportionality is also a requirement on supervisory authorities when determining fines to take account of the extent of negligence.

So, an organisation that has been completely negligent would expect to receive a fine at the higher end of the spectrum. Organisations that have done a lot to meet their compliance obligations should expect a fine at the lower end. If appropriate assessments have been completed and protective controls established, and in the event of an incident, further assessments and actions have been taken to control newly identified risks, then there may be cases where no fine is issued.


Andrew Chilvers
Specialist data journalist


Part 2 will focus on data protection and the role of the Data Protection Officer.