GDPR data requests to hit NHS the hardest

The NHS is expected to face increased financial pressure due to recently implemented General Data Protection Regulation (GDPR), new research shows.

Research from data firm Exonar shows that requests for personal data to public organisations are set to cost £30 million every year.

The impact of GDPR is making public organisations complete data requests free of charge, acting as an extra blow to budgets.

Exonar sent out Freedom of Information (FOI) requests to 458 organisations, including NHS Trusts (206), local government (125), central government (61) and emergency services (66) from across the UK.

The request asks for the number of subject access requests (SARs) received by organisations in 2014, 2015 and 2016 and the cost of processing each request.

On average, a request costs £145 to process, though some organisations admitted that costs can run as high as £1,800 due to the complexity of finding data. By multiplying the average cost to complete a SAR with the number received by the respondents in 2016, Exonar found that the total administration cost to the public sector would be £30.4 million.

The NHS is expected to be hit hardest by the increase in data requests. Even before the introduction of GDPR it cost the NHS £20.6 million every year to retrieve customer data. With recent stories surrounding data breaches into public data within the NHS, it’s likely requests will increase and put even more financial pressure on the organisation.

More so, it’s difficult to assess the cost of SAR on Trusts as each request can vary widely. For instance, Calderdale and Huddersfield NHS Foundation Trust couldn’t provide a figure stating that there are costs that “cannot be quantified”, such as any management, clinicians, physio and health visitors, finance and even X-ray costs.

Adrian Barrett, CEO and founder of Exonar, said: “The good news is the public sector is taking its responsibility to do a thorough job and find all the data pertaining to a person seriously. However, there’s a heavy process burden, especially when multiple bodies are involved, and the NHS in particular needs an alternative to manpower to trace data if it is to avoid penalties of non-compliance. Our estimates on the costs of managing SARs is probably conservative but we do expect an immediate bow wave in response to all the GDPR emails we saw in May and June.

“Because the public now knows about the GDPR they are more likely to raise more SARs, and if there is a sudden wave of requests the public sector will be stretched further. It’s clear that the government needs to take advantage of new technology, particularly artificial intelligence, to help the public sector become more efficient with handling, organising and retrieving its data.” Barrett said.

Exonar estimates that an average SAR will run to thousands of pages as complete medical histories are produced.

Barrett says the total number of SARs could cost UK PLC billions: “We expect 30 million requests to be made this year to private businesses of all sizes and the public sector. If we assume the cost to process a SAR is the same in public and private sectors, then the cost to UK PLC stands at £4.5bn. That’s an extraordinary sum to set against admin that has no value to a company.”

Reece Armstrong is a reporter for Digital Health Age. Coming from the North East of England, Reece has an MA in Media & Journalism and a BA in Popular & Contemporary Music from Newcastle University. Reach him on Twitter or email via:

'GDPR data requests to hit NHS the hardest' has no comments

Be the first to comment this post!

Would you like to share your thoughts?

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2019 Rapid Life Sciences Ltd, a Rapid News Communications Group Company. All Rights Reserved.

Privacy policy

Terms and conditions