GDPR and its impact on storing patient records

Ensuring that patient records (and other patient data) are kept safe is also a legal requirement, which will imminently be affected by the General Data Protection Regulation (‘GDPR’) which will have effect across the European Union on 25 May 2018.

GDPR will form part of UK domestic law from May 2018, (and its provisions are likely to continue in force following Brexit). GDPR is a European law, so it needs to be incorporated into UK law by a statute. At the time of writing the precise wording of that statute has not been finalised, and certain amendments to the Data Protection Bill were awaiting consideration by the House of Lords.

While some uncertainty remains about precisely how GDPR will apply in the UK, you should, of course, do your utmost to inform yourself about GDPR and use such guidance as is available to become ‘compliant’ before 25 May 2018. The ICO has published information for healthcare professionals at, including further guidance and resources for use in healthcare practice, and this would be an excellent place to start.

However, just as with any new law, there will inevitably be a period of uncertainty while the full practical implications of the new requirements become clear, and reliable guidance emerges in response (for example from the ICO or the GMC). It might take even longer for disputes arising out of the new law to be decided by the Courts and become precedents to provide clarification. Accordingly, you should not treat 25 May 2018 as the end of your work to become GDPR-compliant, but the beginning. Adapting your processes and procedures to respond to updated guidance as it emerges is likely to be necessary for months and possibly even years to come.

It is vital to know this because the GDPR obligations will apply to individual self-employed surgeons in exactly the same way as they will to large hospitals. Being a self-employed consultant with less expertise and fewer resources to deal with data protection compliance requirements than a large organisation might will not be a defence in the event of a data protection breach. At the same time, there will be significantly higher penalties for data breaches – a maximum fine of “4% of global annual turnover” or €20 million (whichever greater) for the most serious of infringements.

Over this period of legal change and uncertainty, self-employed surgeons will need all the assistance and support they can get to run their practices in a safe and compliant manner, without data

protection issues taking up a disproportionate amount of surgeons’ precious time. The assistance available to Incision members includes a 24/7 medico-legal helpline provided by DWF LLP. This article is an extract of a more detailed and extensive guidance note available only to Incision members.

About the author

Joanne Staphnill, Partner - DWF LLP

Joanne Staphnill

After reading Law at Cambridge, Joanne was called to the Bar in 2003 and her work in pupillage included many clinical negligence and high-value personal injury cases. She re-qualified as a solicitor in 2006, and since then has regularly defended clinical negligence claims and has excellent experience in resolving claims through the pre-action protocol, alternative dispute resolutions and through the courts. Joanne always aims to understand whether a claim may affect the clinician’s professional reputation and takes pride in guiding clients who are unfamiliar with the legal process. Joanne and the DWF team continue to provide legal assistance and support and she produces extensive risk management materials for Incision members.