How Will GDPR Affect Health and Social Care?

  • techUK techUK
    Tuesday12Sep 2017
    Meeting notes
    Member only download

    On Wednesday 6 September, techUK held an event to explore the issues on how GDPR will affect the Health and Social Care Industry.

Presentations from speakers are available to download below.

With the EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, the countdown has begun. As the health and social care industry both generate and utilise vast quantities of data in their daily operations, the introduction of GDPR will be an incredibly important development. In order to explore some of the issues on how GDPR will affect the health and social care industry, techUK held an event where a fantastic line up of speakers presented to a packed room.


Victorian Hordern (Hogan Lovells LLP) provided an overview of GDPR from a legal perspective. She explored the meaning of health data in the GDPR context saying the new broad definition of health data should come as no surprise and there will be greater rights for individuals to control their health data. When it comes to medical research, she explained there will be a more flexible compliance framework for health data used for scientific research purposes. She also highlighted that apart from explicit consent, lawful grounds for the use of health data will depend substantially on EU or member state law. Victoria also said that around 60 to 65 per cent of the GDPR is similar to the Data Protection Act (DPA) and so although GDPR is much longer and more detailed, if companies are compliant with the DPA the leap to GDPR compliance should not be too great.


Steve Norledge (IBM) focused on the opportunities of GDPR to build the trust crucial to enable the digitisation of health services. He said there is huge potential for tech to transform the health and care industry but it will not be successful if citizens do not trust suppliers and providers of healthcare with their data. The value in GDPR could be to catalyse organisations to fix some of their operational limitations in order to gain a clearer view of personal data. This will enable better service delivery and result in better outcomes. Companies should also consider re-thinking their data relationship with customers to secure trust, transparency and confidence.


Gary Smith (PhixFlow) addressed the practicalities of GDPR. He discussed how GDPR will mean changes and the most successful organisations will be those that embrace the need for change. Organisations should also consider what other benefits could be derived from these changes. The Subject Access Request (SAR) process was discussed, where individuals can request a copy of their information held by an organisation. The SAR process is important for all industries and there are many considerations for an organisation, including ensuring consistency in searches, keeping records consent, the need for audit trails, and the volume of requests. GDPR is an ongoing process and organisations need to change the way they think about data.


David Evans (NHS Digital), discussed the implementation of GDPR and the impact it will have on the NHS. The NHS, along with other industries will have to embrace new changes when GDPR begins, this includes subtle changes to definitions, increased focus on accountability and the need to be able to demonstrate compliance with the law. He explained that transparency and trust come from getting the design right and are hugely important to ensure the NHS has the confidence of patients and citizens. He said the NHS, through the Information Governance Alliance will be publishing guidance that goes to the heart of where the health service needs to focus its attention. The NHS will face challenges and uncertainty along the way and, although perfection is not possible, the focus must be on doing the right thing to ensure transparency, accuracy and accountability.

The panel then opened the discussion to the audience. The discussion was wide-ranging and ranged from the readiness of the industry to predictions on what the regulatory authorities will do on 26 May 2018 once GDPR comes into effect. Panellists cautioned that although some organisations have embraced GDPR and have started to make the necessary changes, the industry as a whole is not ready. Organisations were encouraged not to wait for guidance but to ensure that their specific obligations under GDPR were understood and codified. One of the keys is transparency: being clear about what you are going to do with the data and why.

For more information on techUK’s Health and Social Care Programme and the Cloud, Data Analytics & AI Programme, please contact:

This content has download attachments that are only available to techUK member users. Login with your techUK account to view and download attachments.

If you would like to know more about membership please visit Become a member page to contact our membership team.


Secure your FREE ticket for the Cloud Expo Europe tomorrow! Join over 20,000 professionals in ensuring that you kee…
Brexit is now Green, Yellow and White: @techUK Head of Policy @G_Derrington explores what the draft legal text for…
Want to find out what the latest #localgov tech trends are & be better informed in how councils work? Then register…
Do you work in the public sector? You can get free #SmartCity guidance from Barcelona, Amsterdam, Copenhagen and Os…
Read techUK Deputy CEO @techUKdepCEO's response to the draft Brexit agreement: #Brexit