Month: May 2018

Inaugural Blog – No. 1

Inaugural Blog – No. 1

GDPR compliance for NWL GPs (TPP)

Welcome to this inaugural blog which is going to follow the process of taking our GP practice through to GDPR compliance. There has been some understandable anxiety around the concept of a deadline on the 25th May, but most practices nationwide will not be compliant by then. Rather than being a tick box process, this should be considered as a journey.

The clinical system we use to provide patient care is TPP SystmOne. We had initially thought about providing an EMIS version of the blog as well, but as things have turned out the activities you need to engage in  to meet GDPR requirements are not really system specific.

What is GDPR and why this blog? 

I’m a GP working in Hammersmith. One of my roles is to support the safe and secure sharing of medical records so that we can improve the care we provide for our patients. How we manage the private and personal data we hold and process on our patients has been redefined by new European regulations GDPR:

General Data Protection Regulation

These outline similar requirements to the Data Protection Act, but set higher standards, which if unmet can carry fines of up to 4% of the annual turnover of your practice.

Delays in guidance and the implementation of the statute made the goal of compliance by the 25th May unachievable. But the Information Commissioner’s Office (ICO) who will police the process has made it clear that they do not intend to be implementing punitive measures. Such actions are only likely if there is clear evidence of a significant breach which demonstrates a blatant disregard for a data controller’s responsibilities. However, practices must be able to show that they understand these new responsibilities and are taking actions to meet them.

So this is serious stuff and whilst you are unlikely to fall foul of the ICO it is important not to leave the work undone. It will need extra resources, at a time when we are all busy, but this is not just some dictat passed down from NHSE … it’s the law.

The NWL Journey towards Compliance

Our practice will be advised by a team of IG experts about the actions they need to take and this blog will mirror each stage. Where for example we need to undertake data flow mapping, there will be a detailed description of what information is needed, who collects it, how is it presented and how long this took. If a process requires a search then that search will be recorded and made available to all practices who want to use it. Likewise for audits or other activities. If an action results in the output of a practice policy, protocol, guideline or procedure, those documents will be made available to share. It may be possible to use some of them as is, others may require modifications to make them relevant to your practice. At the end of each blog, we will highlight the learning points and give a bullet list of actions which you need to take before moving on.

We will be working one day a week here, but some of this will be preparatory work which will not take you as long and we are also likely to make some mistakes which we hope you will be able to learn from. The blog will be divided into weekly sections and we hope that by sharing our experience in this way, practices across the North West London (NWL) CCGs will be able to go through a near-identical process.

How long will it take and what resource?

We are not entirely sure but hope to reach compliance over something in the order of 10 weeks, during which time our Practice Manager and or a dedicated lead will devote between one half to one day per week. We are mindful that this is starting off just before the holiday period and we plan to do four weekly blogs up until the 23rd July, followed by a three-week break after which we will restart. There will be an update on the 21st June.

We look forward to you coming along on the journey with us!

What, When and How

What, When and How

The Purpose

This blog will document the process of two Hammersmith GP practices who are being taken through the tasks required to become GDPR compliant.


Below is the planned schedule. It may be updated depending on how we progress.

Format of blog

To help usability each weekly blog will follow a standard structure: