Data Protection for NHS, Healthcare, MedTech and Life science

The GDPR was enacted into UK Law as the Data Protection Act 2018. It imposes legal obligations on medical and healthcare organisations around how they must manage and process personal data.

The new legislation complements the NHS Data Security and Protection Toolkit (DSPT) and requirements for Caldicott Guardians. It gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties for non-compliance.

This, along with the increased focus on data collection and developments in Artificial Intelligence (AI) along with various codes of conduct within healthcare, are making the need for robust personal data protection practices essential.

The experienced data protection consultants at The DPO Centre will help ensure your organisation’s compliance framework is compliant with the relevant healthcare and medical data protection requirements and regulations.

This page explains what the new legislation means for medical and healthcare organisations and the key areas they need to consider when managing and protecting personal data.

Alternatively click one of the options below to speak to us


Email Call


Like all other organisations, medical and healthcare organisations must:

Be transparent in the way they process personal data and accountable for doing so
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow patients, health care professionals, staff and employees, local authorities, family and next of kin, guardians and suppliers to:

  • Access the data stored on them
  • Ensure it is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale especially special category data or data relating to criminal convictions
  • Use the data for automated decision making


“I became acquainted with The DPO Centre through one of their Data Protection Officers (DPO) who acts as outside DPO for one of our US-based clients. We were negotiating a DPA for a unique trial his client is conducting in the EU which utilizes my company’s mobile research services. The DPO I had the pleasure of working with on that project is one of the best DPO/counsels I have worked with when it came to thoughtfully negotiating through a clinical trials-DPA, given his great knowledge of the GDPR and the crossover with clinical trials regulations in both EU & UK. He’s also just a solid, nice person, and I have greatly enjoyed and am very grateful to have him across the table to get the trials up and running.”

Jenifer McIntosh
Professional Case Management


Healthcare and medical organisations must take extra precautions when processing sensitive patient data. Our range of data protection services will help ensure that your organisation is taking the best care of patients’ data. We provide consultancy, outsourced DPOs, UK and EU GDPR Representatives, Caldicott Guardians, staff training and awareness sessions, and a data protection advice line staffed by our expert DPOs.


Caldicott Guardians

UK National Health Service (NHS) and social care organisations must appoint a Caldicott Guardian to ensure their organisation adheres to the National Data Guardian’s data protection principles. The DPO Centre provides outsourced Caldicott Guardians to health and social care organisations to help them process, manage, and protect patient data.

Read more


Outsourced Data Protection Officers

Health and social care organisations have particular data protection needs, as they collect and process sensitive and vulnerable patient data. Our outsourced DPOs have a broad range of experience working with the health and social care sectors, so they’re able to help you organise your data protection framework so it’s more compliant. 

Read more


GDPR Representative

If your medical organisation processes data on UK or EU residents but you don’t have a presence in these territories, you may be required to appoint a UK or EU Representative to help you adhere to Article 27 of the GDPR. Our UK and EU Representation service helps you to construct your Records of Processing Activities (RoPA) and respond to data subject rights requests.


Data Protection Consultancy

We have one of the largest teams of data protection consultants available who’ve worked across multiple sectors, including healthcare, medtech and life science. These experts provide advice and guidance tailored to your organisation’s data protection needs, keeping the particular concerns of these specialist sectors in mind. By engaging our consultancy service, you can improve transparency, be more accountable for the personal data you process and reduce the risk of breaches and compliance failure.

Read more



Data Protection Training

Often, it’s not enough to have a compliance framework in place for your healthcare or medical organisation. All of your organisation’s stakeholders, regardless of their level of seniority, must also understand the basics of data protection compliance. With training from The DPO Centre, your staff members will learn not only the importance of data protection but also how to manage and process data in their specific roles, supporting your organisation to remain compliant.

Read more



Data Security and Protection Toolkit (DSPT)

The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that all organisations processing NHS patient data must use. Our experts can help you complete the yearly assessment, ensuring you meet all NHS data protection requirements. We can also help you identify gaps in your data security practices and provide you with the necessary documentation, policies and procedures.

Read more

Data Protection Advice Line

As part of our outsourced DPO and UK and EU GDPR Representative services, we offer an Advice Line, staffed by our experienced DPOs. When your healthcare organisation has a pressing question or needs urgent advice on a data protection matter, you can access our helpline. This service is also offered standalone, to provide additional support and expertise to your existing in-house resources.

Read more


Medical and healthcare organisations must protect personal data across all of their operations and be aware of multiple regulations. Major considerations include:

Complementary regulations, guidance and inspections

  • NHS Data Security and Protection Toolkit (DSPT)
  • GDPR and Data Protection Act (2018)
  • Caldicott Guardianship
  • CQC audits and inspections


  • Privacy, retention and data protection policies
  • Staff handbooks

Marketing, communications and consent management

  • Social media and posting
  • Emails, Bring Your Own Device (BYOD), NHSmail


  • Maintaining network and server security
  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book and access systems

Sharing data with others

  • Clinicians and healthcare professionals
  • Local authorities

Managing sensitive information

  • Data Protection Impact Assessments
  • Managing sensitive medical information
  • Safeguarding, family issues and DBS checks

Data gathering for predicting clinical outcomes

  • Automated processing
  • Data anonymisation and pseudo-anonymisation

Patient facing care and getting the job done

  • Bedside data
  • Patient notes
  • Managing paper records

Care management systems and medical records

  • Carer planning and management systems such as CarePlanner, Zuri, Access Care
  • Electronic Medication Administration Records (eMAR)


With our extensive subject matter knowledge of data protection and compliance for medical and healthcare organisations, we’re able to deliver far greater value to your organisation than an independent data protection contractor or small team and far more cost effectively than a large consultancy or law firm. Our consultants have worked with many different platforms, tools, vendors, and software used in the healthcare and medical sector, allowing us to provide you with the most appropriate solutions for your organisation.

Highly cost effective
thumbs up
Experience and shared best practice gained from working with over 900 clients
Designated Data Protection Officer working on site with your team
Pre-existing model documentation tested and validated across varied industry sectors
Pragmatic, straightforward, solution-driven advice
UK and Pan-European expertise

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call



Alex Aucutt-Ford

Spencer Hospitals

“Our DPO from the DPO Centre has been excellent. They are happy to answer any questions we have, and have been a great sounding board for our Information Governance team which has supported all the great work the team does. By helping to provide a clear and prioritised plan of action, our DPO has ensured that we stay on track to meet our compliance goals.”


Drew Davies

PCCTC Contracts Manager

“By having The DPO Centre take responsibility for the role of GDPR representative for the PCCTC we are confident we are meeting the legal requirements of the GDPR.

The DPO Centre’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any trial member across the EU.”