Care Providers: 7 key takeaways to ensure compliance with the UK GDPR and Data Protection Act 2018

In our new article, Hetal Ruparelia, Head of our Information Law team and Solicitor in our Housing Management and Property Litigation team, sets out the 7 key factors Care Providers should be aware of in order to ensure their compliance with UK GDPR and the Data Protection Act 2018.


  1. Identify your lawful basis for processing– To disclose personal data concerning a resident to a third party (e.g. a family member), you must identify a lawful basis for processing under Article 6 of the UK GDPR and if you are disclosing special categories of personal data such as health data, a condition under Article 9 of the UK GDPR.
  2. DPIA– A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. This is particularly relevant to care providers who frequently process personal data concerning vulnerable data subjects and/or data of a highly personal nature.
  3. Breach detection– You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making as and when a data breach occurs on whether or not you need to notify the ICO or the affected individuals, or both. The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the ICO. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  4. Training and awareness– Staff training and awareness is a key element in reducing the risk of a data breach occurring. Should a breach take place, one of the first things the ICO will ask is whether staff undergo regular data protection training. Data protection training can mitigate an enforcement action. You should consider appropriate training levels for different staff and ensure compliance with training is effectively monitored and documented.
  5. Data Sharing Agreements– To ensure compliance with Article 28 (3) of the UK GDPR, you should ensure a Data Sharing Agreement is in place with any data processor to whom personal data is being disclosed.
  6. Privacy notice– Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  7. Subject Access Requests– Ensure you understand what is required in response to an Subject Access Request, how long your organisation has to respond and what types of personal data are exempt from such requests.

For more information, please contact Hetal Ruparelia, Head of our Information Law team and Solicitor in our Housing Management and Property Litigation team

Share this publication

Related categories



The latest news from Devonshires, sent to you direct.

Join our mailing list and find out what we’re up to and what we think about recent events and future possibilities.

Join our Mailing List