GDPR? What is it and what does it mean to your care organisation?


Put May 25, 2018 in your diary as a significant date. This is when the Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR).

All personal information your care home has needs to be protected and handled in line with GDPR.

Personal information, in the GDPR context, is information that can identify living individuals (either on its own or on conjunction with other information already available).

Some examples below:

· Name


· Address

· Gender

· NHS number

· Occupation

All organisations who deal with special categories of personal data will have to comply with GDPR. Special categories of personal data can include the below:

· Health information

· Information relating to race, ethnicity, religion, or sexual orientation


To comply with GDPR, you will need to ensure that personal information is:

  1. Processed fairly, lawfully, and in a transparent manner
  2. Collected for specified, limited purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up-to-date
  5. Kept in a form which permits identification for as long as necessary and no longer
  6. Processed in a manner that ensures appropriate security


Points to consider:

Legal Basis and Consent

  • Under GDPR, if your legal basis for collecting and sharing personal information is consent, then that consent needs to be informed, explicit, and recorded. You will only be able to use the information for the consented purpose, and any further use will require further consent. Can you currently evidence this?
  • There are other legal alternatives for collecting, using and sharing personal and special category data that may be more appropriate than consent, such as it’s in the vital interest (life or death) of the individual concerned. Are you aware of all of these?
  • You will need to document the legal basis for all personal information your organisation utilises.

Data Quality

  • Do you have data quality controls in place to ensure your information is accurate and up-to-date?

Retention Periods

  • Are you aware of retention periods relating to all information types so you are compliant with GDPR? You will need to document this under GDPR.

Information Security

  • Care home providers could be exposed if they are using paper or archaic care systems that are not designed with the latest standards of encryption and secure access
  • Under GDPR, you will be responsible for ensuring any contracted third-parties do not compromise your compliance with GDPR. Can you be certain that your system providers meet the GDPR requirements?
  • Do you hold personal data on external hard drives or USBs? What are your security controls for these mobile devices?
  • Do you have access and audit controls in place to ensure only authorised staff are seeing sensitive information?

Subject Access Requests

  • Both staff and residents can request to see what information you hold on them (a subject access request). Under GDPR, the timeframe for legally responding to these is changing, as is the ability to apply a fee. Have you updated your processes to reflect these changes? Are all staff and residents aware of this right?
  • Can you access your information quickly to comply with these requests? Do you know where all your information is stored?

Dependant on how you have answered the above, your care home may not be compliant with the new GDPR regulations.

Want to know more information on GDPR? Follow this link for the Information Commissioner Office 12 step guide to becoming compliant.

Cura Systems can help!

Don’t panic, there is an easy way to becoming compliant with GDPR. That is to utilise a company that understands data protection legislation on special categories of personal data and is committed to supporting other organisations in being compliant with GDPR.

Cura Systems offer intelligent and modern care planning, medication management, staff planning, notes and time and attendance monitoring software. Using Cura will provide you with some reassurance that your information is secure and quickly accessed when needed, but only accessible to authorised individuals. Cura does this, and more, for care companies while also empowering them to utilise their information in a way that makes their information more useful to increase service efficiency and enable them to achieve to golden care and management standards.


Give your care home the competitive advantage, talk to the Cura Systems team today. Email or call us on 020 3621 9111.

Spread the word. Share this post!