GDPR & You


The General Data Protection Regulation – usually referred to as GDPR –  was passed in 2016 and will become enacted into European Law in May 2018, and was designed to “beef up” the existing EU legislation relating to Data Protection.

Now, before you all go running off to purchase books, Consultants, videos and indemnity insurance, there are one or two things that you need to be aware of and understand.


  1. The existing Data Protection legislation in the EU was based on the UK Data Protection Act 1998, so it follows that we have a head start on most other EU member states.
  2. The GDPR are aimed at bringing the whole of the EU to the same standard, so there is a parity across the EU. Some states have some major changes and improvements to make – the UK is already there in most aspects.
  3. Any care home which has already put in place a Data Protection policy and has procedures that staff follow, can be reasonably confident that they are well on the way to being compliant.
  4. Whilst the legislation will become Law in May 2018, it will be quite a while before any changes will impact on ourselves at a care home level. Most observers who know about these things are predicting at least 2019 or even 2020 for things to “transition” – and that does not even begin to take in any impact of Brexit! Equally, this does not take into consideration those regulators or local authority staff who might try to put their own spin on things earlier, although I think they may want to feel their way slowly with this to avoid a repetition of the DoLS nightmare.
  5. There is a legal requirement for care homes to have a Data Protection Officer. This is a person who takes responsibility for ensuring that the GDPR requirements are fully met. This can be any person the home wishes it to be – internal staff member, Consultant, DPO service provider, external employee etc.


So, exactly what are you required to do?


Up to now all we have sight of are some guidance notes from NHS, CQC and a couple of law firms who are trying to “second guess” what will happen.

What is abundantly clear is that those care homes who store data relating to others (that’s all of us!!) have a legal duty to ensure that:

  1. It is held safely
  2. It is stored securely
  3. It is shared properly
  4. Any loss of data is identified quickly and fully investigated
  5. Data held electronically must be held to a secure database with security features to prevent hacking. (The use of double encryption access is identified here)
  6. Data held electronically should have a “back-up” procedure.
  7. Any information shared across the EU is in accordance with GDPR
  8. Any information shared outside the EU (e.g. The USA) must be done to a standard which is GDPR compliant as a minimum.

It is clear from the above comments that most care homes will be compliant with much of what will be required.


The two areas that ALL care homes need to focus on are:

  1. Back up and storage of electronic data
  2. The Role of the Data Protection Officer


Back Up and Storage of Data

This can be as simple as using a USB stick to place a copy of your files onto each night or each week. You might extend this to once per month, but in the event of a “tech failure”, the amount of data lost can be massive.

There is also an issue regarding safety and security – how do you know which is the most current USB and where are they kept to prevent loss or theft? What happens to old sticks,  etc.

This is also time consuming and relies on human actions.

Cloud based solutions are simple, safe and effective for many care home solutions.

Larger homes or groups may have a network and / or offsite secure back up and retrieval servers and systems.

A cross between the two above solutions is for each care home to be able to access the global security network that specialist companies are able to provide, but being able to access this at a very cost-effective fee level.

This way, care homes can gain the biggest advantage of complete peace of mind, security, back up (in real time) and recovery of archived data for less than the cost of even the most basic “spyware”.

For details of companies who can provide this service, contact us at


Data Protection Officer

This role is a new EU concept which encompasses some of the requirements of the need to have a “Data Controller”. However, the requirement now carries some personal responsibilities and there are a range of fines which can be applied if the care home / DPO are found to be non-compliant. As stated earlier, this may be simply to nominate an existing staff member e.g. the Registered Manager or one of the Directors.

Alternatively, the home might appoint an outside Consultant or third party to manage this role. This is likely to be quite expensive as the person is taking on a legal responsibility to ensure that the GDPR are being complied with.

For any care home which uses, or is considering using, electronic data storage and retrieval (e.g. care planning, staff files, resident data and records etc.) there is a third way to look at compliance.

There are a small number of companies whose work involves, not just the creation and development of secure care homes software, but the secure management of data to internationally recognised standards. They have accreditations such as ISO 9000 and CE certification. This basically means that their service is more secure than most military requirements!

These companies are able to help their existing customers but also to facilitate new clients at a fraction of the normal cost due to the size of their customer base.


Again, for details of such companies who can provide this service, contact us at