The General Data Protection Regulation (GDPR) was adopted by the European Union in April 2016, and will come into force on May 25, 2018. The EU says the aim of the regulation is “to protect all EU citizens from privacy and data breaches in an increasingly data-driven world”.

Although many features of data protection law will remain the same, the changes are significant – and pharmacies need to prepare now to comply with them.

The GDPR will partly replicate and partly change our existing laws. So alongside it, in the UK, the Data Protection Bill – which is expected to have its second reading in the House of Commons in early March, on its way to being passed into law – will create new legislation designed to supplement the existing data protection provisions in the Data Protection Act.

In terms of how Brexit affects this, if you own a company that processes data about individuals in the context of selling goods or services to citizens in other EU countries, then you will need to comply with the GDPR – irrespective of whether or not the UK retains the GDPR post-Brexit.

If your pharmacy’s activities are limited to the UK, then the position after the initial Brexit period is much less clear – although the UK government has indicated it will implement an equivalent, or alternative, legal mechanism.

What will happen under GDPR?

Under GDPR, pharmacy owners will become data “controllers” – the people who decide what patient information to process and how to process it. As data controllers, pharmacy owners must be clear about the legal basis for processing patient data – which includes collecting, recording, retrieving, consulting and using data.

In many cases, the legal basis will not be a patient’s consent, because processing will be lawful if it is necessary for the purposes of administering healthcare or treatment to that patient. But to rely on this purpose, the data must only be processed by, or under the responsibility of, a pharmacist or a registered pharmacy technician.

If a pharmacy owner – the controller – relies on consent as the legal basis for processing patient data, they must be able to show that consent was given explicitly, either verbally or in writing, and that any information given by the controller to the patient to inform their decision was given in language that was clear, concise and easily accessible.

The consent must be for a single, specific purpose, and when giving it, the patient must have been informed of their right to withdraw consent – which must be as easy as giving it in the first place. If these requirements are not met, the consent will not be valid.

New responsibilities

A key change in the law is that it will require all controllers to appoint a data protection officer (DPO), whose contact details must be published. This person’s responsibilities will include:

• Monitoring the pharmacy’s compliance with GDPR and with procedures
   
• Being a contact point for all patients with data protection issues, including reporting breaches to the Information Commissioner’s Office
   
• Informing and advising pharmacy staff of their data protection obligations
   
• Monitoring assignment of responsibilities and awareness training.

The DPO should not be someone who makes decisions on how data is to be used, because this could give rise to conflicts of interest. They should have direct access to a company’s board [where there is one], and they may not be dismissed or penalised for carrying out their responsibilities.

In the event of a data breach – such as accidental or unlawful loss, or illegal disclosure, of personal data – the DPO must report this to the Information Commissioner’s Office within 72 hours. It may also be necessary to notify any patient who is affected.

What could happen if pharmacies fall afoul of GDPR? The consequences of a breach include:

• Courts can award compensation for distress or financial loss
   
• Fines of up to €20 million, or up to 4% of a pharmacy’s turnover.

David Reissner is senior partner at law firm Charles Russell Speechlys LLP