GDPR Compliance Without the Spreadsheets: Automating Data Requests, Retention, and Consent
Subject access requests, retention schedules, and consent records don't have to eat your admin team's week. Here's how automation changes the maths.
Dr Sarah Chen
CEO, Medelic
Every GP practice in England is a data controller. That means the partners are personally responsible for how patient data is stored, shared, and deleted. Most practices manage this with a combination of spreadsheets, shared folders, and good intentions. It works until it doesn't — and when it doesn't, the ICO comes knocking.
The SAR Problem
Subject access requests are the compliance task that practice managers dread most. A patient (or their solicitor) asks for a copy of everything you hold on them. You have 30 days to respond. The clock starts the moment the request arrives, not when you get round to opening the email.
In a typical practice, fulfilling a SAR means pulling records from EMIS or SystmOne, checking for triage notes, appointment history, messaging logs, consent records, and any paper files that haven't been scanned. A single request can take a practice manager 4-6 hours of painstaking work, often spread across several days because other tasks keep interrupting.
With Medelic, a SAR covering all data held in the system — demographics, triage records, appointment history, clinical notes, prescriptions, consent records, messages, and call transcripts — is a single action. The system compiles everything into a structured export, ready to review and send. What takes hours manually takes seconds.
Retention Without the Guesswork
NHS records management guidance sets retention periods for different types of patient data, but keeping track of what needs deleting and when is a job that most practices simply don't have time for. SMS messages, voice recordings, chat transcripts — each has its own retention period, and failing to delete data on schedule is just as much a compliance risk as deleting it too early.
Medelic enforces retention schedules automatically. SMS messages, voice recordings, and chat transcripts are removed after two years. Triage records and patient data are anonymised after ten years. Audit logs are retained for seven years and then deleted. None of this requires a diary entry or a quarterly admin session. It just happens, on schedule, with a full audit trail.
Consent You Can Actually Evidence
When the ICO or CQC asks how you obtained consent for a particular data processing activity, "the patient agreed on the phone" is not an adequate answer. You need a record of what was consented to, when, and whether it has since been withdrawn.
Medelic maintains structured consent records for every patient interaction that requires one. Each record includes the consent type, the date it was given, and — critically — the date it was revoked if the patient later changes their mind. This audit trail is available instantly when an inspector asks for it, rather than buried in free-text notes or missing entirely.
Erasure That Doesn't Leave Gaps
When a patient exercises their right to erasure under Article 17, the practice needs to remove their personal data without destroying clinical records that have a legal basis for retention. This is a genuinely difficult balance to strike manually.
Medelic handles erasure by anonymising personally identifiable information while preserving the clinical record structure. Names, contact details, and identifiers are replaced with redacted markers. Sessions, consent records, and push notification subscriptions are deleted. The result is a record that satisfies the erasure request without creating gaps in the practice's clinical audit trail. Every erasure action is logged with the staff member who authorised it, giving you a defensible record if the decision is ever questioned.
"Compliance shouldn't be a project you do once a year when the CQC visit is coming up. It should be built into the way the practice runs every day. The moment you have to rely on someone remembering to check a spreadsheet, you have a risk."
What This Means for Partners
For GP partners, data compliance is not an abstract concern. An ICO enforcement action can result in fines, reputational damage, and personal liability. The practices that handle it well are not the ones with the biggest admin teams — they are the ones with systems that do the work automatically.
Automating SAR fulfillment, retention enforcement, consent tracking, and erasure does not just save time. It turns compliance from a liability into something you can point to with confidence — a clear, evidenced, auditable process that runs whether or not someone remembers to check the spreadsheet.