Skip to site navigation Skip to main content Skip to page footer
Book Your Appointment

Privacy Policy

Privacy Policy

Here to help

General Data Protection Regulation (GDPR)

The GDPR has replaced the Data Protection Act 1998 (DPA) and radically overhauls many of the existing data protection rules.

Accountability & Data Governance

One of the main features of the GDPR is that compliance alone is not enough; data controllers must also demonstrate their compliance and prove that they are taking data protection seriously by implementing a range of accountability measures. These measures include Privacy Impact Assessments, data protection audits, policy reviews, activity records and in some cases, the mandatory appointment of a DPO. Here is an overview of some of the accountability measures you will need to understand:

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) will need to be carried out when Witcombe Health is planning a new initiative involving “high-risk” data processing activities, such as monitoring individuals, systematic evaluations, or processing special categories of personal data, particularly when involving large numbers of individuals or new technologies such as biometrics.

The purpose of a PIA is to identify and minimise non-compliance risks.

Pseudonymisation

This refers to processing personal data in a way that it can no longer be attributed to a data subject without additional separate information. That additional information must be kept securely and separately to prevent identification.

Pseudonymised data is still personal data, but GDPR promotes its use in certain circumstances to enhance privacy and support compliance.

Data Protection Audits

Witcombe Health will review and document the personal data it holds, identify its sources and determine who it is shared with. This exercise—known as a data protection audit—demonstrates compliance with the data protection principles.

A data protection audit also maps data flows into and out of Witcombe Health and highlights any “red flags” requiring urgent attention.

Data Protection Policy Reviews

All privacy policies relating to data protection have been reviewed and updated. Privacy policies must now clearly explain an individual’s legal rights under GDPR and how those rights can be exercised. Policies for children must be written in clear, non-technical language.

Appointment of a Data Protection Officer (DPO)

Due to the significant new obligations under GDPR, Witcombe Health has formally appointed a Data Protection Officer.

The DPO for Witcombe Health is Sarah Pead, who has received training in this area.

The DPO has sector-specific knowledge and must be supported in maintaining it. Their minimum tasks include:

  • Advising colleagues and monitoring GDPR compliance, including through staff training and awareness
  • Advising on PIAs
  • Acting as the point of contact for supervisory authorities
  • Developing policies and procedures
  • Monitoring guidance updates and codes of practice
  • Overseeing breach notifications and documentation

The DPO may be an employee or contractor, and must operate independently without fear of dismissal or penalty for exercising their role. Their contact details must be published and registered with the supervisory authority.

Staff Data Protection Training

Witcombe Health must ensure all staff handling personal data receive appropriate training. New starters will receive training before accessing data, and existing staff will receive regular refresher training.

Records of staff who have received training—and those who have missed sessions—will be kept to ensure compliance.

Communicating Data Protection / Privacy Policy Information

GDPR requires Witcombe Health to provide more meaningful and transparent information to individuals about how their data is used. Privacy Notices must now include an expanded list of mandatory information, presented clearly and accessibly.

Information to be provided includes:

  • The identity and contact details of Witcombe Health
  • The purpose of data processing and the legal basis for processing
  • Who data is shared with
  • Details of transfers outside the EU (if any) and safeguards in place
  • Retention periods
  • Individuals’ legal rights, including the right to withdraw consent

Legal Grounds for Processing Personal Data

GDPR sets out specific lawful bases for processing personal data, such as consent, contractual necessity, and compliance with legal obligations.

Witcombe Health must understand and communicate its legal grounds for processing—especially in Privacy Notices and when responding to Subject Access Requests (SARs).

Consent

Consent must be:

  • Freely given and easy to withdraw
  • Specific and separated from other terms
  • Fully informed
  • Unambiguous and indicated through a clear affirmative action

Witcombe Health has reviewed how consent is gathered and recorded to ensure compliance with GDPR.

Individuals’ Rights

Under GDPR, individuals have strengthened rights, including:

  • Right of subject access
  • Right to correct inaccuracies
  • Right to erasure (“right to be forgotten”)
  • Right to prevent direct marketing
  • Right to prevent automated decision-making and profiling
  • Right to data portability

Subject Access Requests

The GDPR updates SAR rules:

  • No fee in most cases
  • One-month response deadline (extendable in limited cases)
  • Additional required information, such as retention periods
  • Ability to refuse manifestly unfounded or excessive requests, with justification documented

Witcombe Health has updated its SAR procedures accordingly.

Personal Data Breaches

Internal procedures have been adopted to detect, report, and investigate data breaches.

Breaches likely to result in risk to individuals’ rights or freedoms must be reported to the ICO within 72 hours, and in some cases to affected individuals without undue delay.

A breach register will be maintained. Failure to comply can result in significant fines.

Children

Children receive special protection under GDPR. Where online services rely on consent, parental consent is required for children under 16 (or under 13 in some Member States).

Witcombe Health must take reasonable steps to verify parental consent where required.

International Data Transfers

Witcombe Health does not transfer personal data outside the EEA.

If this ever changes—e.g., through use of cloud providers or overseas communications—GDPR-approved safeguards such as Standard Contractual Clauses must be implemented.

Breaches of international transfer rules can result in fines of up to 4% of worldwide turnover.

Unsure or Need Advice?

Contact Our Team
chevron-down
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram