On May 25th 2018 the new data protection reforms will take effect, and many people want to know how it will affect them.

The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The ICO (Information Commissioners Office) have published a number of really helpful guides, and checklists.

Here’s the link to the ‘Getting ready for the GDPR checklist’:


There is also the ’12 steps to take now’ guide here:


The ICO are aiming to provide a suite of data protection guidance that is as comprehensive as possible by May 2018, so it’s worth visiting their site to keep up to date as things move forward. https://ico.org.uk/


How the GDPR might affect your business

When you record a person’s details you are recording data, there are some rules that you may need to know:

Lawful Basis for Processing

Data can only be processed if there is at least one lawful basis to do so. The lawful basis for processing data are:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation


Your rights to YOUR data under GDPR

Do you want to know your rights to any data that is held on you after the GDPR comes into effect on May 25th 2018, the ICO has published a guide under ‘Individuals Rights’, the link is here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/


On a final note, The ICO have published a data protection self-assessment toolkit.

“Use our checklists to assess your compliance with the Data Protection Act and find out what you need to do.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business's reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money”.



We hope our clients find some of this information useful, and we will update this post as more information becomes available.


GDPR and Record Keeping


We have received a number of requests from clients regarding record keeping in light of GDPR, and how long they should keep their client consultation notes / record cards for given the regulation notes that personal data should be kept for no longer than is necessary.


If you currently have a Balens Health Professionals Policy with us, underwritten by Zurich Insurance plc, it is a condition of your Insurance Policy to take and retain client records. The policy wording notes:


The records shall be kept for at least 7 years following the last occasion on which treatment was given.  In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of majority (18). 

                                                                                                  Record Keeping - Condition 14 c, on page 35


The Statute of Limitation in the UK (i.e. time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of majority in the case of minors. However, these 6 years start from the date that the injury was discovered, not from the time that the alleged incident that caused it occurred. There are also instances, for example if treating a vulnerable client, where the statute may be overturned.  Your records are your best line of defence in any claim situation hence the need to keep these for at least 7 years. It will be for you to determine, in view of your own client base, whether you choose to keep the records for longer than the 7 years noted in the policy wording, and then note this in your Privacy Notice for your clients.    


There are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/  - When can I refuse to comply with the right of erasure), which clearly give you the right to hold your client records to comply with your insurance Terms and Conditions, should your client make a request for them to be deleted under their Right of Erasure.