[Skip to content]

General Data Protection Regulations (GDPR) coming in May 2018

General Data Protection Regulations (GDPR) coming May 2018

Suggested Data Mapping Process

Under the General Data Protection Regulations (GDPR), which come in in May 2018, podiatrists will need to map any personal data which they may gather, store and process as part of their practice.  To aid podiatrists in doing this the following  simple outline of the steps which may be typical of patient’s journey and the related occasions on which personal data may be processed has been produced.  This list is not prescriptive. Each clinic will be different. You must reflect on what happens in the context of your practice. You should prepare a document about the data you have, process and store as discussed below and then test it for completeness. Consult your colleagues and support staff as part of the process. 

For each of the stages identified below you will need to describe the nature of the data you obtain; the purpose for obtaining it; how and where it is stored; how access is controlled; how is the data protected; how, when and why it is shared and by what means. Once that descriptive process is complete you can begin to consider how you comply with the data protection principles through the lifecycle of the personal data which you process.

Consider personal data processed at each of the following stages:

  1. Prospective Patient/Initial Enquiry Process
  2. Appointment Booking and Confirmation Process
  3. The Waiting Room and Reception – What can be seen and heard.
  4. Patient Registration Process
  5. First Appointment
  6. Communications Between Appointments
    A: Referrals Out and Requests for Information
    B: Other communications between healthcare professionals
    C: Communications with other third parties such as insurers

  7. Review/Follow-up Appointments
  8. Discharge from Care or Transfers of Care
  9. Atypical/unplanned patient contacts


You will also need to consider how you store records at the end of the therapeutic relationship and how you dispose of confidential waste including outdated or obsolete hardware.

Once you are happy with your written list you should keep a copy within your practice and review in on an annual basis or when a significant change in the way you obtain, process or store personal data occurs.

Under the GDPR it will be expected that patients are given this information as appropriate. Further information about this will be available from the Data Protection area of the website when available.


In this Section