General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and supersedes the Data Protection Act 1998. The GDPR gives member states limited opportunities to make provision for how it applies in their country and the details of these, amongst other things, are included in the Data Protection Act 2018 which also came in to force during May 2018.  Most of our legal obligations will be contained within the GDPR, however we will need to read both pieces of legislation side by side.

The new law extends the rights of individuals and requires organisations holding personal data to comply with a new stricter set of rules. Changes include:

New Rights for Data Subjects

The new rights are:

  • An enhanced right to privacy and transparency
  • A right of rectification
  • The right to be forgotten - in some cases an individual can ask for their personal data to be deleted
  • Changes to consent required from individuals
  • Where consent for the use of personal data is required it must in future be explicit, non-ambiguous, given freely and can be withdrawn
  • Right to portability
  • Right to restriction

Mandatory Breach Notification

In certain circumstances organisations will have to inform the Information Commissioner's Office about unauthorised disclosures of personal data as soon as they are discovered and where feasible, not later than 72 hours after having become aware of it.  If the disclosure has serious implications for any individuals, they will have to be informed as well.

Privacy by Design

Organisations should design data protection into development of business processes, new systems and undertake Privacy Impact Assessments (PIAs) also known as Data Protection Impact Assessments (DPIAs)

Read more about: Data Protection Impact Assessments here 

Data Protection Officers

A designated post of data protection officer will be strategically responsible for GDPR.

Our Data Protection Officer can be contacted at: or alternatively write to:

NHS Derby and Derbyshire CCG
Dr Steve Lloyd
Data Protection Officer
Nightingale Close
Off Newbold Road
S41 7PF

More background information is available in the GDPR guidance attached to this page.

If you need advice, please email: 

Related documents:

Information on other websites

Last modified: 27/03/2019