Freedom of Information (FOI) requests sent to NHS trusts in England reveal that more than £1 million has been spent preparing for the General Data Protection Regulation (GDPR).

Parliament Street issued freedom of information (FOI) requests in February 2018 asking trusts to disclose their total GDPR expenditure to date, projected expenditure for the year ahead as well as details about how the money was being put to use.

Within its results, Luton and Dunstable proved to have invested the most in GDPR implementation, having set aside £111,200 for staff support and training. This was followed by Lincolnshire Partnership NHS Foundation Trust, which has spent £106,915, including £1,755 on “specialist training”.

South Central Ambulance Service and St George’s University Hospitals both set aside £95,000 for GDPR respectively. This was followed by Sheffield Teaching Hospitals (£78,000) and Dorset HealthCare University NHS Foundation Trust, which reported to have spent £70,000 on a “GDPR specialist” over a course of six months, supported by staff training.

Meanwhile, the Christie NHS Foundation Trust spent £54,000 on an information security management system and consultancy resources.

Other trusts have been more thrifty in regards to their GDPR spend, due to budgetary constraints or otherwise.

Derby Teaching Hospitals, for example, reported to have allocated just £500 toward preparing for the new regulations.

Alder Hey Children’s NHS Foundation Trust said it had spent £553 on practitioner training, whereas Cheshire & Wirral Partnership said it had spent £662 on training along with an exam.

Goodmayes Hospital, part of North East London NHS Foundation Trust, spent £500 on GDPR preparation, with an extra £70 a month going towards “a secure email system for sending patient records.”

GDPR introduces tighter measures around citizen data privacy, with organisations who fail to comply facing heavy fines.

In total, Parliament Street’s report showed that £1,076,549 had been spent by NHS trusts to ensure data security practises are up-to-scratch before the 25 May deadline.

However, only 46 trusts replied to the think tank’s FOI request, representing just over a fifth of all NHS trusts in England.

While this suggests that the total spend on GDPR could be considerably higher, research from Digital Health Intelligence conducted in 2017 found that only around half of NHS trusts in England have an implementation plan for the new regulation.

To increase these numbers, Parliament Street suggested that a national GDPR implementation strategy be established by the NHS that brings together CEOs and CIOS, in order to ensure consistency between trusts.

It also called on the government to provide  “dedicated legal advice in the form of solicitors and specialist counsel to enable all trusts to gain free consultancy on implementation.”