Data Protection Bill and GDPR

The General Data Protection Regulation (GDPR) will come into force on 25 May. The Data Protection Bill, which is still going through Parliament, updates data protection laws in the UK and supplements the GDPR.

Overview of concerns

The Optical Confederation, of which FODO is an active member, and other bodies representing primary care providers have serious concerns that the Bill, as currently drafted, defines all primary care providers as ‘public authorities’, which will require them to appoint a statutory Data Protection Officer (DPO) purely on that basis.

The GDPR itself only requires an organisation to appoint a DPO if it is a genuine public authority, or processes sensitive data, such as healthcare data, “on a large scale”. This requirement was not intended to capture primary care providers as a matter of course, and in the case of providers that don’t process data on a large scale, is simply not needed.



Liberal Democrat MP Christine Jardine has tabled an amendment which, if passed, would exempt primary care providers from the Bill’s definition of ‘public authorities’, and therefore the blanket requirement to appoint a DPO. This has been supported by Labour MP Julie Cooper. Larger primary care providers that process sensitive patient data on a large scale will be required to appoint a DPO under the GDPR, regardless of the Bill, and this amendment will not change that.The amendment is due to be considered as the Bill goes to report stage on 9 May.


Tweet your MP

We are calling on members to help build support for the amendment by tweeting the following and tagging your MP in the tweet:

‘[.tag name] I am a constituent and I’m calling on you to support amendment 19 to the #DataProtectionBill , to prevent small primary care providers from the unnecessary requirement to appoint a DPO. A briefing with further information can be found here:

Key points to note:


Amendment 19

Clause 7, page 5, line 24, at end insert—

“(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact it is defined as a public authority by either—

  • any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or
  • any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002

(asp 13).”