Changes in UK data protection legislation

GDPR: Summary of changes

Changes to data protection legislation are on the horizon and to reflect these upcoming changes, the RCSLT is updating our existing information governance guidance.

However, this guidance will not be finalised until we have a clearer idea of all of the changes. We are exploring opportunities to work with national bodies in relation to this. 

So, what are the key things to know?

  • The General Data Protection Regulation (GDPR), which applies across the European Union (EU), comes into force in May 2018. The new law will apply to the UK, despite the UK’s decision to leave the EU.
  • The Data Protection Act 1998 is being repealed and, at the time of writing, the Data Protection Bill is passing through parliament to bring UK data protection laws in line with these changes.
  • The new standards aim to empower people to have greater control over use of their data and to protect EU citizens from privacy and data breaches. The changes include:

o   new rights for individuals, such as being able to find out about how, where and for what purpose their personal data is being processed, and ‘the right to be forgotten’;

o   Tighter requirements for consent to process and store data 

o   Greater penalties for data protection breaches; and

o   Increased accountability and a need for organisations to demonstrate compliance with the law. 

  • Healthcare professionals should be aware of the changes and the impact, as these apply to all organisations, settings and individuals processing and holding personal data.

Information about the changes to EU and UK data protection law is available from the Information Commissioner’s Office (ICO), and they are developing a series of resources, including toolkits, FAQs and guidance on GDPR.

They also provide briefings on the passage of the Data Protection Bill through parliament and links to factsheets on this topic. 

We would recommend that members:

  • identify their local information governance lead; 
  • are aware of any new local policy developments that will impact on record-keeping and the timescales for implementation; and
  • in private (independent) practice, review resources on the ICO and RCSLT webpages. 

Please note: it is emphasised that this information is for your general guidance only and does not constitute legal advice. The RCSLT is not in a position to offer individual advice on the application of the GDPR and you should seek advice from your employer, or take legal advice if you are self-employed.


GDPR: Summary of changes

GDPR and consent

The Data Protection Act 1998 required consent to be freely given, specific and informed. The GDPR adds that consent must also be an unambiguous affirmative action, documented and reversible. The GDPR treats consent as a dynamic and ongoing process, and it must be:


  • name who requires consent
  • name third parties
  • why you want the data
  • what you will do with the data
  • explain how consent can be withdrawn


  • separate consent for individual options of data sharing/ processing
  • unambiguous indication of subjects wishes
  • clear and active ‘opt in’ and ‘opt out’


  • who consented
  • when, what, why and how


  • regularly review consent (GDPR gives no specific timescales)
  • consent is reversible and can be withdrawn

GDPR and consent for children

Article 8 of the GDPR requires parental consent for children under 16 for services requested and provided over the internet (although the UK may choose to lower this to 13 in the future).

Parental consent expires when the child reaches an age by which they can consent for themselves. At this point consent must be reviewed. Consent by children should follow the ‘Gillick Competence Test’. This considers whether the individual child has the understanding and competence to consent for themselves.

You must provide children with the same clear information about consent and withdrawal processes as you do to adults. The ICO is currently reviewing more detailed guidance on children’s privacy.

GDPR and research

The GDPR has implications for researchers, sites, and sponsors managing research projects. As a result, the Health Research Authority (HRA) has been working with the Medical Research Council to develop guidance in this area.

This guidance focuses on the following areas: 

  • consent
  • transparency 
  • collection and safeguarding of personal data
  • data subject rights
  • the use of confidential information

Please refer to the guidance for researchers for detailed information about how you can ensure your research complies with GDPR requirements.


Lead author: Kathryn Cann

Date of last review: March 2018

Website design and development by Premier IT