The implementation of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 requires organisations to report certain types of incidents to NHS Digital, the Department of Health and Social Care (DHSC) and the Information Commissioners’ Office (ICO) (the supervisory authority).
