Is the GDPR something completely new?

Not completely, but there are some new requirements.

There is a new requirement on all public authorities (including GP Practices) to appoint a Data Protection Officer and register the DPO with the Information Commissioner.

The requirement to have a lawful basis in order to process personal data is not new. It replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998. However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing. The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. In many cases it is likely to be the same as your existing condition for processing. The biggest change is for public authorities who now need to consider the new ‘public task’ basis first for most of their processing, and have more limited scope to rely on consent or legitimate interests.

If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.

The GDPR also removes the right to charge a fee for subject access requests in most cases.  In future, where a request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request. You can also charge a reasonable fee if an individual requests further copies of their data following a request.