General Data Protection Regulation (GDPR)

The UK General Data Protection Regulation (GDPR) aims to ensure that individuals have rights over their personal data and that organisations manage data accordingly.

Any business, charity, or organisation, including sole acupuncture practitioners, that holds personal identifiable information must be fully compliant with GDPR principles.

UK GDPR compliance can be daunting for any organisation. Although the principles of UK GDPR apply to all organisations, small businesses employing less than 250 people do not face the exact same requirements. The Information Commissioner’s Office (ICO) acts as the regulating body for GDPR.

Why complying with GPDR is important

There are three good reasons to comply with GDPR:

It is in your patients’ best interests to protect their personal details and health records.
It is your professional duty to always keep patient records secure and confidential and to comply with the law.
If the ICO was to take action against you for any breach of GDPR, this may affect your reputation as an acupuncturist and lead to a loss of confidence by your patients or potential patients.

In addition, breaches of GDPR could lead to a large fine. When deciding on the level of fine, the ICO would consider:

the nature and gravity of the infringement
whether the breach was intentional or negligent
the mitigating actions taken by the organisation to contain damage to individuals
the compliance policies and procedures implemented by the organisation
any past infringements
the level of cooperation by the processor and controller (the organisation)
what personal data was involved in the breach
whether the ICO was promptly notified of the breach
whether certain codes of conduct were adhered to

The ICO has made clear that maximum penalties will not be handed out without serious investigation and consideration of all circumstances. However, the risk is present, and organisations have had plenty of notice to get their policies and procedures in place.

GDPR guidance from the BAcC

The BAcC produced a range of guidance for members in 2018 as GDPR was brought into force. The guide has been updated and can be downloaded as a complete document. The topics covered are:

Personal data you hold and why
How you use personal data
Privacy notices
Consent
Data breaches (to follow)
FAQs

GDPR questionnaire for members

Further resources

The ICO has published a Guide to the UK General Data Protection Regulation (UK GDPR) as part of its Guide to Data Protection. This information includes:

Key definitions
The seven key principles of the UK GDPR
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
The law around processing personal data
The rights of individuals under the UK GDPR
Steps to be taken under accountability and governance
Information on data security

GDPR guidance

Download our latest guidance

Full guide

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	session	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	session	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_6GLCRN52SL	2 years	This cookie is installed by Google Analytics.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.