The General Data Protection Regulation (GDPR) is legally enforceable with punitive fines for none compliance. GDPR can seem quite complex, but there are some simple first steps which might help. First, a definition: A care provider is a Data Controller according to GDPR – and this term applies whether using paper records, a computer system, or a cloud based service. A care provider might also be a Data Processor, and the easiest way to avoid being caught in both categories is to use a computer system that is hosted outside of your organisation. However, so check with the organisation that hosts your data that they are GDPR compliant. More information about GDPR is available here