General Data Protection Regulation (GDPR)

On 25th May 2018 one of the biggest changes to data protection for a generation will come into force. It will have a profound impact on many organisations across the country, particularly in the healthcare industry. ILLY Systems have been working hard to ensure that we remain compliant with the changes, and will be helping our partners to do the same.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) will supersede the Data Protection Act (1998) and its principal aim is to give people more control over how their personal data is used. GDPR will have significance for commissioners, service providers and systems suppliers.

Form How does it affect the Substance Misuse Sector?
Any service that is required to hold and process personal data will be impacted by GDPR. This is particularly true of the substance misuse sector. Here are just some of the key changes that come into effect from the 25th May which will have a direct impact on the substance misuse sector:

  • Consent – Service providers must request explicit consent to hold a client’s personal information in a simple, accessible way and the purpose for which this data will be processed must be stated clearly in this request. You must also check that data sharing agreements your organisation has with other parties too.
  • Right to access – Clients will have the right to know if their personal data is being processed and for what purpose. The data controller will need to be able to provide a free copy of this data in an electronic format.
  • Right to be forgotten – Clients will be able to get the service provider to erase their data if they wish to withdraw consent.
  • Data Protection Officers (DPO) – Where organisations are handling large volumes of personal client data, a DPO will need to be appointed.
  • Stricter penalties – Breaching GDPR can result in a fine of up to 4% of annual global turnover or €20 Million (whichever amount is greater). These penalties will apply to both data controllers and data processors.
  • Data retention period – Case records should be kept for 8 years after treatment completion, after which they must be destroyed.

What do you need to do?

All services already obtain client consent in line with PHE guidance as part their access to treatment, however there is more that services should be considering – this includes how information and data is shared and processed as part of the continuity of client care, in particular the client’s ‘right to be forgotten’.

Careful consideration needs to be given to core information about the client’s medical, risk and mental health histories which form the basis of their long term treatment and recovery.

How can we help?

Client data and information is at the heart of everything we do and as such it’s already embedded in our ISO Procedures.

  • Data Processing Agreement – Our Contracts team have created a Data Processing Agreement, which explicitly states ILLY’s role as your Data Processor in relation to the data we hold in LINKS CarePath. This is counter-signed by your named Data Controller to ensure compliance with GDPR.
  • Secure Data – This is at the core of our development and delivery strategy. 2-factor authentication is already available but from 2018 it will be implemented as standard.
  • Consent – Easily manage data protection and third party consents within the client record.
  • Right to be forgotten – LINKS CarePath already allows users to delete individual client records in the maintenance tool.
  • Historic Client Removal Tool – An easy way for administrators to mark multiple records for deletion, using ‘number of years since discharge’ as a selection criteria; for example, to mark any records for deletion that have not presented to the service in ≥ 8 years.

Client Removal Screenshot

If you have any questions about any of the information above, please contact the Client Services team at ILLY Systems on 020 7749 2222 or

Useful Links:
Information Commissioner’s Office:

National GDPR Working Group: