Illustration of a person holding a smartphone with a reminder for GDPR on itThe compliance deadline for the General Data Protection Regulation (GDPR) is fast approaching and have you been planning ahead to make your doctor’s practice GDRP compliant?

The regulation that will be enforced on 25 May aims to strengthen and unify data protection for individuals within the EU and address the export of personal data outside the EU. This is a good thing – citizens will ultimately gain back control of their data, which today, has become a commodity.

But the demands of GDPR compliance range wider than you think. With less than four months to go before the regulation becomes law, it’s important to be aware of the steps your private medical practice needs to take.

What’s changing

In your healthcare business, you’ll be processing data that includes names, photos, email addresses, medical records, and often patient’s bank details. In addition to data of your patients, you’re also holding personal information of your employees.

From May onwards, you’ll need to show that the way you treat this data is GDPR compliant; otherwise, you will be penalised. The fine can be hefty – up to 4% of your practice’s annual turnover.

Here’s are some of the key points to look at:


You need to ask for consent to store personal data, and the terms and conditions need to be accessible and transparent. You must also make it clear to people that they’re free to withdraw their consent. So, if at the moment you’re storing data without explicit permission, you’ll need to contact the individuals to request consent before May. It’s also important to note that if you’re dealing with children, you’ll need approval from their parent or guardian.

Breach notifications

If there’s been a data breach, personal information might get into the hands of a third party; therefore, you must notify the authorities within 72 hours of becoming aware of this breach. You should review your original data protection protocols and add this step in if necessary. Plan for the worst and have a detailed action plan in place in the event of a cyber-attack.

Right to access

Your patients have the right to ask for their data and to know how you’ve been using it. You’ll need to be able to give them an electronic copy of their data free of charge. Again, make sure you have an action plan in place that enables this.

Data protection officers

Where activities include “regular and systematic monitoring of data subjects on a large scale”, you’ll need to appoint a data protection officer. Assess your staff, select a person and adjust their job description accordingly.

Where to turn for guidance

For more information visit the GDPR section on the website of the Information Commissioner’s Office. You can also check out the guidance issued by the national GDPR working group and the Information Governance Alliance (IGA) on NHS Digital.

Speak to us at Tax Agility if you’re worried about budgeting for the changes you need to make. Working with dedicated and knowledgeable medical accountants like us means that you’ll know where your finances stand so you can concentrate on GDPR compliance without worrying about your accounts.

We’re specialist accountants for doctors, so to talk to Tax Agility about how we can assist your doctor’s practice.