What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) was introduced to unify all EU member states' approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it's shared.
GDPR came into force on 25 May 2018 - and even though the UK is due to leave the EU, it will still apply to all businesses handling EU residents' data, effectively replacing the Data Protection Act 1998.
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
It's the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
To help you understand what this means for you and how we handle your data, there are three documents with varying levels of information.
Privacy Notice. This is simply a summary.
Privacy Notice for Children
Your medical records. This gives more detail in a number of areas, including details on how to opt out of some data sharing.
Your Medical Records
Detailed privacy information. This is a more detailed document that looks at every instance where data is shared and/or processed by third parties.