This guest blog comes from our accountant and resident tax expert, Michael Bennett of Michael B. Bennett Ltd.

Recently I have had a number of conversations with people who are telling me that as a result of the GDPR changes earlier in 2018, goodwill can no longer be sold. This is categorically untrue.

Firstly, let’s look at the GDPR changes this year. In essence, the actual regulations regarding Data Protection have not changed at all since 1998; all that has happened this year is that the penalties for breaches have been made more severe. So, if you believe that goodwill cannot be sold now, you also have to believe that it could not be sold for the last twenty years!

Having established the above, now we can look at whether goodwill can be sold. There is no question that any set of patient records, by their very nature, contain personally identifiable information; therefore the release of these to any third party would be a breach under the tightened regulations. The sale of a patient list from one practice to another would therefore require permission from the patients (data subjects) to allow their data to be transmitted from one data controller to another. It follows then, that if you are wanting to sell your patient list, all you need do is circularise your patients and ask them for their consent.

You could, of course, pre-empt this by having in your privacy policy a note that in the event of the practice being sold, the patient consents to their records being passed over to the new owners. You now have the right to sell your goodwill, in advance.
Another way of dealing with this would be to trade through a company, in which case, the data controller would be the company. You can then sell your shares in the company to another person, who takes over the control of the company. Both before and after the sale, the patient records were held by the same company, therefore there has been no breach of the data protection act; the data controller has remained unchanged, but the data officer has changed.

This would still involve the requirement to request consent from all patients to transfer their personal data from your sole trade practice to your limited company practice, but given that you would be the data officer at both sides of the transition, I doubt any patients would object.

One other thought in passing. Under the tightened regulations, the consent of the data subject is required before a third party can be sub-contracted to deal with matters on your behalf. Do your consent forms (I assume you get written consent from all patients before their first treatment) include an agreement from them that sub-contractors can treat them on your behalf, as this is what may well be happening if you are having associates treat them.

Michael B Bennett FCCA