The GDPR and Data Protection Act 2018 replace the Data Protection Act 1998 with anupdated and strengthened data protection framework, however, the key principles of the original Act remain unchanged. The most relevant changes for GPs in their role as data controllers are highlighted in the box below. The remainder of the guidance explains GP data controllers’ responsibilities under the GDPR, and sets out the main themes of the legislation and what needs to be done to ensure compliance. The principles in the guidance apply to doctors working in private practice or other NHS healthcare settings.