High Risk Medical Data: GDPR for the Healthcare Sector

High Risk Medical Data: GDPR for the Healthcare Sector

If you are responsible for data in a nursing home, hospital, GP practice, out of hours medical service, dental practice, optician, pharmacy or masseuse practice, just to name a few, you are holding high risk data on behalf of your patients. In this article, Eimear Boyle considers key GDPR compliance issues for healthcare providers.

Come 25 May 2018, data protection must be part of your daily work dialogue to avoid compromising patient data and the prospect of significant fines and penalties. These fines and penalties amount to up to the greater of €20 million or 4% of the total worldwide annual turnover of the preceding financial year.

To get ready for this new compliance era in respect of patient’s data, it is a legal requirement to build on good practices already observed by you in line with current data protection laws.

The GDPR compels you to undertake at the very least the following steps:


  • Make an inventory of all personal data you hold;


  • Assess the purpose of the data processing you conduct, identify your legal basis for conducting it and document this assessment;


  • Review your existing notices alerting individuals to the collection of their data;


  • Examine your procedures to ensure that they comply with the personal privacy rights that an individual has under the GDPR;


  • Do you use the individual’s consent when you record personal data? If so, you must look at the manner in which you seek, obtain and record that consent and be aware that changes to this process may be required;


  • Do you process the data of minors? If so, you must ensure that you have a mechanism in place to verify ages and obtain consent from guardians;


  • Update the procedure you use in response to data access requests from individuals to take account, amongst other things, of the new timescale (within one month) and new rules in relation to (1) charging (no charge, unless you can show that the cost will be excessive), (2) any refusal policy and (3) providing additional information to individuals making requests;


  • Create or amend your policy and procedure for detecting, reporting and investigating a personal data breach;


  • Be cognisant of the concept of conducting a Data Protection Impact Assessment and know when it is mandatory to conduct one;


  • Is your organisation a public authority? Do you process patient’s data on a large scale? If either are the case, you need to designate a Data Protection Officer.

At Crowley Solicitors, we are available to assist your organisation to accelerate its GDPR readiness. Do not hesitate to contact any member of our team.


This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Legal advice should always be taken before acting on any of the matters discussed.