With the most recent developments to the European General Data Protection Regulations (GDPR) introduced in May 2018, the resulting legislation meant a new set of considerations for study approvers and health-care researchers. Compared with previous legislation in the UK (The Data Protection Act, 1998), it introduced more extensive and directive principles, requiring anybody ‘processing’ personal data to specifically define how this data will be obtained, stored, used and destroyed. Importantly, it also emphasised the principle of accountability, which meant that data controllers and processors could no longer just state that they planned to adhere to lawful data protection principles, they also had to demonstrate compliance. New questions and concerns around accountability now appear to have increased levels of scrutiny in all areas of information governance (IG), especially with regards to processing confidential patient information. This article explores our experiences of gaining required ethical and regulatory approvals for an ethnographic study in a UK health-care setting, the implications that the common law duty of confidentiality had for this research, and the ways in which IG challenges were overcome. The purpose of this article was to equip researchers embarking on similar projects to be able to navigate the potentially problematic and complex journey to approval.