The General Data Protection Regulation (GDPR), which has replaced previous privacy legislation, came into full effect in the European Union in May 2018. This paper discusses the implications of the GDPR for the handling of health care data when evaluating clinical guidelines. Guideline evaluation is mandatory in order to improve the quality of health care. Following the implementation of the GDPR, there has been increased awareness that it is now mandatory to obtain consent and to provide patient information letters if patient data are not given anonymously.