The General Data Protection Regulation (GDPR)

We’re taking steps to prepare for the introduction of the GDPR on 25 May 2018.

What is GDPR

The General Data Protection Regulation (GDPR) is an important data protection regulation change, which was decided by the European Parliament, the Council of the European Union and the European Commission with the intention of strengthening and unifying data protection for all individuals within the European Union (EU). The GDPR replaces the Data Protection Act 1998 and will come into effect on 25 May 2018. All companies processing personal data residing within the EU must comply.

Why the change

The changes are due to the current digital age in which we live in and the growth of the internet, including social media and the cloud. The GDPR sets out a new legal framework within the EU to update privacy standards to address these new technologies. Allowing data subjects much more control over their own personal data, organisations must ensure systems facilitate the processing of personal data for data subjects.

Key changes

The GDPR includes several changes:

  • The scope of the law now extends to controllers and processors who reside outside the EU but process EU citizen person data.
  • Organisations in breach of GDPR will now fall under the new penalty regime with fines up to 4% of annual global turnover or €20 million, whichever is greater.
  • Data subject rights are enhanced; examples include:
    • The ‘Right to Access’: the right to obtain confirmation from data controllers as to whether or not personal data concerning them is being processed.
    • ‘The Right to be Forgotten’, which is also known as Data Erasure: the right to personal data being erased and forgotten by data controllers.
    • ‘Data Portability’: the right for data subjects to have their data transmitted from one controller to another.
  • Consent changes include:
    • Consent has shifted to explicit consent with the requirement for consent to be provided for each purpose of processing.
    • Data controllers must keep records of consent and the context it was provided.
    • Consent should be easily withdrawn as it is given.
    • Blanket or generic consent is no longer considered consent with consent being specific and informed.


There is a large degree of uncertainty surrounding the exit negotiations and the terms that will be agreed once the UK leaves the EU.

The Data Protection Bill was introduced to the House of Lords on 13 September 2017 with the intention of making data protection laws fit for the digital age in which we live. With the increasing amount of data being processed this bill will empower people to take control of their data. Support UK businesses and organisations whilst ensuring the UK is prepared for the future after we leave the EU.

How are Healthcare Gateway preparing for the change?

As an interoperability specialist, Healthcare Gateway is home to the Medical Interoperability Gateway (MIG) which is a unique piece of software connecting 180 health and social care organisations across the UK sharing 30 million patient records.

Retaining and earning our customer’s trust in the handling of their data is key to our business. We have maintained a culture of compliance within Healthcare Gateway to the current Data Protection Act and the principles within. We deploy robust security safeguards to secure the data we handle; this is reflected within our ISO 27001 certification.

Healthcare Gateway have appointed a data protection officer (DPO) whose key responsibilities are preparing the business for any required changes, continuous monitoring of GDPR as it moves to becoming more clearly defined and how this will relate to the Data Protection Bill and the ‘National Data Guardian for Health and Care, Review of Data Security, Consent and Opt-outs’.

If you have any questions about our preparation for GDPR, please refer to our FAQs.