Example engagement — illustrative
A UK GDPR data protection audit for a care home group
Care home group (four homes) · Data Protection & UK GDPR
The challenge
A small care home group knew it held sensitive resident data but had never audited its practices, and was uneasy about whether it could handle a subject access request or a breach correctly.
What we did
- Carried out a data protection audit and built a record of processing activities across the four homes
- Reviewed lawful bases for handling special category health data and consent arrangements
- Refreshed privacy notices for residents, families and staff in plain English
- Wrote a workable subject access request procedure and a personal data breach process
- Delivered practical UK GDPR awareness training for managers and care staff
The outcome
The group gained a clear view of its data, a defensible set of records, and staff who knew how to respond to requests and breaches.
Background
Care homes hold some of the most sensitive personal data there is — health conditions, medication, next-of-kin details, safeguarding notes — which places them firmly within the scope of UK GDPR and the ICO’s remit. In this illustrative example, a group of four homes had grown by acquisition, so each site had its own habits, its own filing and its own version of a privacy notice. The directors could not confidently say what data was held where, and a recent near-miss with a misdirected email had made them realise they were not sure how to handle a breach or a subject access request if one landed.
What we did
We began with an audit rather than assumptions, walking through what data each home collected, why, where it lived and who could reach it. From that we built a record of processing activities across the group — the foundational document UK GDPR expects and the one that makes everything else easier. We then reviewed the lawful bases for processing, paying particular attention to special category health data, and checked that consent was being relied on only where it genuinely applied rather than as a catch-all.
With the picture clear, we refreshed the privacy notices for residents, families and staff into plain English, and — crucially — gave the group two procedures it had been missing: a workable way to handle a subject access request within the statutory time limit, and a personal data breach process that reflected the duty to report a notifiable breach to the ICO within 72 hours. Finally we delivered practical awareness training so managers and care staff could recognise a request or a breach and act, instead of freezing.
Result
The group came away with a defensible set of records, privacy information it could stand behind, and staff who knew what to do when something went wrong. Data protection shifted from a vague worry into a set of routines the homes could actually run.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.