THE GDPR Clock is ticking… are you prepared for the changes?


What will be your lawful basis for processing and sharing healthcare information under the GDPR?

If you are relying on ‘consent’ you might want to think again!

Patient sensitive information is the life-blood of the health and care sector. How healthcare data is used is essential to the provision of best care. Keeping information secure and processing it lawfully is not just about privacy it is also about patient safety. Get it wrong and patients can suffer. Trust and confidence in your organisation will be damaged. Serious regulatory consequences will follow with ensuing reputational damage and loss of business. It will hit your bottom line!

EU General Data Protection Regulations comes in to force May 2018

Recently Mills & Reeve and Lockton held a round table discussion on GDPR and the new regulations as they affect the processing of health data and, in particular, the sharing of health records and information.

One very important issue (amongst many) was discussed.

What will be the lawful basis of processing health information going forward?

No business can put off preparing for the changes. That makes good commercial sense and certainly for those operating in the high profile healthcare market.

Sharing patient sensitive information

Health and care bodies will have to make sure they hold and use information in a way which is compliant with the new data processing conditions.

More efficient and effective sharing of patient information (including the exchange of information between public sector and independent organisations) is critical for better, safer and more efficient delivery of care.

But, how is it to be made available and to whom? How will access be controlled? What are the security arrangements? In an era of public anxiety about data sharing and confidentiality, independent healthcare providers must have actively considered, and recorded, a clear lawful basis for sharing and back this up by information sharing agreements to protect themselves and patients.

The changes mean that relying on ‘consent’ or ‘implied consent’ is unlikely to be an option. Companies need to review their data flows and map what is processed, how and why?  You need to look at the GDPR and determine the lawful basis for all your processing – and you need to do it now.

In our experience it is possible to put proper arrangements with back up insurance protection in place to provide assurance that best practice is in hand. What is clear, however, is that compliance takes both time and planning. It must be budgeted for and considered as part of your overall contractual arrangement as a provider of care.   With proper planning and advice the independent health sector should be able to put proper systems and protections in place to make it happen and deliver better, safer and integrated health care

For information relating to this article please find out contact us at:

Sarah Hollinshead


t +44 (0)161 828 3311



*Please note that this article does not constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.