GDPR and Subject Access Requests

GDPR and Subject Access Requests

Our fifth blog from Karen Heaton of Data Protection 4 Business covers how to handle a request from a patient or customer for details of the information that you hold on them.

In our blog today, we look at a data subject’s right to access, a powerful tool for individuals who have concerns about what information organisations hold about them.  Unfortunately, it can also be used for litigious purposes and such a request should be taken very seriously within your organisation, so please read on!

A data subject, in other words, you or I, can request a free copy of all personal data relating to us that an organisation holds – in any format – paper files, digital, videos or voice records.  Ok, do I have your attention now?  Even for a small organisation, that can amount to a lot of data.

Oh, and you have one calendar month to respond.

So, what must you provide and what is exempt?  Well, let’s see…

What information must I provide?

You must provide the following long list of information in relation to the personal data being processed as well as the data itself:

  • the purposes of your processing
  • the categories of personal data concerned
  • the recipients or categories of recipient you disclose the personal data to
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it
  • the existence of their right to request rectification, erasure or restriction or to object to such processing
  • information about the source of the data, where it was not obtained directly from the individual
  • the existence of automated decision-making (including profiling)
  • the safeguards you provide if you transfer personal data to a third country or international organisation
  • the right to lodge a complaint with the ICO or another supervisory authority

I have a question or two:  would you know where to find the data? Would you be able to respond to the other information points above regarding the data you hold?  This is not a simple task and can amount to an operational headache for many organisations.

What information can I withhold?

The most common type of data that should be withheld is data mentioning third parties (unless they have given consent for their data to be shared or it is reasonable not to require such consent – confused?).  For example, an email chain where people other than the data subject are mentioned would need to be considered for redacting.  How easily can your organisation find, review and redact third party information?

Other examples of exempted information:

Specific information regarding medical organisations

Often, my clients have concerns that some law firms may use SARs to obtain medical data for free that was previously chargeable.

Subject Access Request (free) vs Access to Medical Records Act 1988 (chargeable):
Requests from Solicitors acting on behalf of a Patient

The British Medical Association advises that a patient can authorise their solicitor, or another third party, to make a SAR on their behalf. There are very few circumstances when a medical practice will be able to lawfully decline such requests. In this instance, you should ask the person acting on their behalf if there is specific data that they require, for example, are they requesting data covering a specific time period or illness or operation?  This is a valid question for you to ask if the patient data file is substantial.

Tip:  Don’t forget to get valid consent from the patient to disclose their personal and sensitive data to the Solicitor or third party. 

If, however, the request is asking for a report to be written or it is asking for an interpretation of information within the record, this request goes beyond a SAR. It is likely that such requests will fall under the Access to Medical Reports Act 1988, for which a fee may be charged.

Requests from an Insurance company

The British Medical Association, ICO and Association of British Insurers currently advise that Insurance companies should use the provisions of the Access to Medical Reports Act 1988 to seek access to medical records and that the use of SARs to obtain medical information for life assurance purposes is an abuse of subject access rights.

So, that scenario is a bit more clear cut.

The bottom line is….

Your organisation or medical practice must take the time to consider and plan how to respond to a Subject Access Request from an operational perspective.   Don’t wait until you receive one to work out how it should be done.  The clock starts ticking from the day you receive the request.


Today’s fact.   Access to your data is a basic Right under GDPR and Data Protection Act 2018.   A data subject can make a complaint to the ICO if an organisation fails to respond to a Subject Access Request. Further failures to respond to requests from the ICO and any Enforcement Notice they serve, is a criminal offence.

=>   This is worst case scenario and easily avoided.  Ensure you have a robust operating procedure to handle Subject Access Requests and train your staff in how to respond, when to respond and what information to provide.

See you next week!

Karen Heaton Data Protection 4 Business



Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited

Previous blogs in the series:

Medical marketing & social media – ethics & guidelines for doctors & private practices

Medical marketing & social media – ethics & guidelines for doctors & private practices

Running a private medical practice involves more than just clinical activities. It’s crucial for consultants and managers to stay up to date on any changes to relevant regulations, such as the new General Data Protection Regulations, coming into effect in May 2018. It is also vital that the activities of the practice are conducted in line with guidance from the authorities (such as the GMC and the BMA). Services need to be marketed appropriately, especially when growing a practice. This week, we’ll be taking a look at what needs to be considered when assessing and implementing your private practice’s medical marketing and social media strategy.

Social media

A cost-effective medical marketing method, a huge part of many people’s lives, and a main way of communicating for many businesses. However, for doctors there are issues that need to be kept in mind when communicating in a professional capacity with patients, clients and colleagues over social media. These platforms are easy to use and can generate great levels of interested in your practice, but there are guidelines that need to be followed in relation to their ethical use.

  • Confidentiality – GMC guidelines state that doctors must be honest in all communications with patients, clients and colleagues. When using social media doctors need to be aware that a patient’s network may be able to see any communications between the two parties – confidentiality, therefore, is key.
  • Stay professional – Act with integrity, be honest and be trustworthy. As well as being good rules to play by in business, doctors are professionally obliged to act in this way in line with good medical practice guidelines.
  • Know your sites – Designated Medical’s MD, Jane Braithwaite, has written previously about the need to understand social media. Facebook and Twitter are of course two of the most popular sites for businesses and are the best platforms to use to connect with potential patients and clients, with LinkedIn providing a channel for communications with colleagues primarily.

Doctors need to assess the possible risks when using social media, and have a good understanding of the fact that misusing this tool could impact adversely on patient-doctor relationships and your professional reputation.

Medical marketing & advertising

The use of social media may involve more than just communicating with patients. As mentioned above, it is also a great tool for marketing and for advertising your practice. However, there are GMC guidelines to keep in mind for this area, too:

  • Any adverts for your practice must be factual and should not take advantage of your patients’ lack of medical knowledge.
  • The marketing of certain services and specialities is subject to specific guidelines. For cosmetic surgery, for example, surgeons need to make sure that their marketing makes it clear that a medical assessment will be conducted before any treatments are carried out. Treatments and services cannot be offered as prizes, and surgeons must be upfront about the results of any cosmetic procedure. This is crucial in terms of managing patient expectations.


Designated Medical


Our team at Designated Medical know how important it is to work within these guidelines. As part of our thorough induction process are required to read and sign our in-house medical marketing and social media policy. We also have a talented digital marketing team, who specialise in social media strategy and management and search engine optimisation. You can read more about the services available here.

For more information about how we can help you grow your practice through online marketing contact us here or call 020 7952 1008.


AMAZING Digital Marketing Case Study: Designated PA

AMAZING Digital Marketing Case Study: Designated PA

Designated PA is the subsidiary company of Designated Medical – providing personal assistant solutions to entrepreneurs, small business, consultants and private individuals.

Amazing Results

Designated PA began activity across their social media networks and started writing content for the DPA blog and within just 5 months saw some amazing results.   To this day the benefits of the SEO work carried out on the Designated PA website is still apparent.

Check out how Digital Marketing helped to grow the Designated PA business.

Digital Marketing Grow Business


To request a FREE consultation from our marketing experts and discuss how help to promote your proactive, drop us an email to

Does Your Website Have These 6 Key Elements?

Does Your Website Have These 6 Key Elements?

‘75% admit to making a judgment about the credibility of a website based on its website design.’

Isn’t that a scary thought? Luckily, with so many free website templates on sites like Wix and WordPress, gone are the days where web designers can charge an extortionate fee. The market is just far too competitive!

For example, you can hire a website designer for as little as £25 an hour on Upwork. But for the startups and entrepreneurs who would like to test their creative abilities and create their own, let’s take a look at my top essential elements all websites should have.

A fantastic homepage is broken down into 3 elements 

  • Content
  • Tech
  • Visual design

Ideally, your homepage design needs to captivate your visitors, educate them on your brand and encourage them to click onto other pages.

The 6 Essential Elements Of A Website

‘Above the fold’ is a term meaning the first page your visitors will see when they land on your site.  This is why it’s so important to make the design as clutter free and user-friendly as possible.

  • Social Media Buttons –  Social media buttons placed at the top of your homepage, allow your users to see you have a social media presence, and regularly engage. When it comes numbers, followers are vital, and a company that has built up thousands of followers tends to be viewed as more trustworthy, and an expert in their field.
  • About Tab – I would recommend this to be the first tab on your homepage.What do you do? How does your service and product differ from others? What are the benefits to the customer? More importantly, what is your vision, and why have you decided your product/service could make such an impact in a possibly over saturated market?
  • Font – Fonts have been proven to greatly influence how a visitor feels about your brand. I remember our I.T tutor at school drumming into us, that a formal letter had to be in the font of ‘Arial!’. Thankfully we are a lot more opened minded today, and value the ability to make a font unique to our brand. Just avoid using too many different fonts on your homepage. Try to use bold or headers to make your point instead.
  • The Pop up – Pop ups have the ability to create warm leads, or have your visitors leaving the page within 10 seconds out of annoyance! I recommend setting your pop up to appear at least a minute after the visitor has landed on your platform. Give them a chance to see what you are about first!

          The aim of a pop up is to create warm leads, by visitors adding their email addresses and subscribing to a monthly newsletter. You can then market special offers on a monthly basis to try and close the sale down. After all, they were interested enough to sign up to you in the first place so you’re halfway there!

  • Pricing – A recent client told us they had searched the internet for an idea on how much it would cost to purchase a social media package. Out of the 10 websites they visited, only one was transparent enough to show their prices, and as luck would have it, that site was ours – Designated . Worrying about your competitors seeing your pricing is one thing, but having potential customers leave instantly, as they do not want to email or call is quiet another.
  • Contact Details – Have you lost count of the amount of times you’ve searched high and low for contact details on a site, just to find them in small print at the very bottom of the page? Surely the point is to make your team as accessible to potential customers as possible? Think about creating a separate tab for your contact details above the fold.

Are you concerned how user-friendly your site is? How about the quality of your visuals and your content? Get in touch with our digital marketing team today and let’s create a unique platform that sets you apart from your competitors.

Contact – or telephone us on +44 (0)20 7952 1008

Why You Should Outsource Your Social Media

Why You Should Outsource Your Social Media

‘Website visitors are 4 times more likely to use social media than search engines to find what they want’

Speaking from personal experience, I found managing multiple social media accounts time consuming and an exhausting process. Managing my followers and unfollowers alone can be a headache, not to mention keeping track of my tweets and recognising the difference between a potential customer or a brand who is completely irrelevant.

But most of all, I feel the biggest problem with social media is consistency. 

I’ve seen comments in Facebook marketing groups from multiple entrepreneurs and startups who are struggling to keep up with their brand awareness, sporadically tweeting every few days. After a few weeks with minimal engagement, the realisation kicks in that it will take time and effort to kick start your business.

That’s where Designated Medical come in. Our digital marketing team specifically use their skills in marketing startups, small businesses and also private medical centres. We have proven results in increasing,

  • Website traffic
  • Engagement
  • Twitter Followers
  • Brand Awareness
  • Business Blog Views
  • Shares Using Infographics

So let’s take a look at a few questions from a small startup and see how we can assist them.

I need to set up multiple accounts but it’s just too time consuming?

We can create business accounts for all the major social media channels and ensure brand consistency is optimised throughout. For example;

  • Facebook Business Page
  • Twitter
  • Google +
  • Pinterest
  • Instagram
  • Linkedin

I already have a Twitter account but I have minimal engagement and I don’t understand the key hastags to use for my sector?

We will research hashtags for your sector to ensure targeted engagement and will post consistently on topics relevant to your business on a daily basis.

I’m not sure which social media platform would be the most suitable for my brand?

When you sign up with Designated Medical, we create a FREE marketing plan to cover all aspects of your business. You can expect to find out;

  • Where to find your customers
  • The best Hashtags
  • Which content is most suitable for your site
  • Your competitors
  • When is the best time to post on social media and which platforms to use
  • Meetings or events in your sector that you may wish to attend for networking purposes

This sounds costly, is it more expensive than hiring a full time social media executive?

One of the biggest benefits of outsourcing your social media is you pick the hours you wish us to work. No need to worry about things like taxes, accommodating a new member of staff, keeping them active for 8 hours a days when they’re on a salary.

As a private medical centre who may not have the budget to hire a full time member of staff, this could be invaluable to you and your growth. Simply pick the hours you feel comfortable with!

Would you like to find out more and have a quick chat with one of our experienced digital marketing executives? Get in touch today on 020 7952 1460 or email us at