Chemist + Druggist is part of Pharma Intelligence UK Limited

This is operated by Pharma Intelligence UK Limited, a company registered in England and Wales with company number 13787459 whose registered office is 5 Howick Place, London SW1P 1WG. The Pharma Intelligence group is owned by Caerus Topco S.à r.l. and all copyright resides with the group.

This copy is for your personal, non-commercial use. Please do not redistribute without permission.

Printed By


It's difficult for pharmacies to find a data 'expert' in time for GDPR

Pharmacy law expert David Reissner questions how the government is implementing the GDPR regulations across the sector

I’m not surprised that the government rejected attempts by the Pharmaceutical Services Negotiating Committee (PSNC), and other pharmacy and healthcare representative bodies, to get the Data Protection Act 2018 amended so that pharmacies and other primary care providers would not be required to appoint a data protection officer (DPO).

However, even though I’m not surprised, I can’t help but observe that the government’s reasons for the decision make no sense at all.

The General Data Protection Regulation, which comes into force from May 25, says that two types of organisation need a DPO: public authorities – the definition of which includes any person providing NHS services – and any person who processes personal data on a large scale.

Last week, despite the lobbying efforts of PSNC and the National Pharmacy Association, the government refused to amend the legislation so that not all primary care providers are considered 'public authorities'. It also rejected the request to scrap the requirement for smaller pharmacies to appoint a data expert.

So what reason did the government give for rejecting amendments to the definition of a public authority, so as to exclude community pharmacies and healthcare providers? Speaking in the House of Commons earlier this month (May 9), Margot James, minister for digital and creative industries, said it was because “primary care providers process sizeable quantities of sensitive health data”.

Flawed reasoning

There are two flaws in this reasoning. First, if healthcare providers process sizeable quantities of sensitive data (now called “special category data”), then according to the government’s position, they would need a DPO anyway, even if they were not a public authority.

The government’s approach was also flawed because it took a broad brush approach to the question of whether healthcare providers process “sizeable quantities of sensitive health data”.

GDPR expressly avoids such a lazy categorisation of what healthcare providers do, and says: “The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients…by an individual physician [or] other health care professional.”

EU guidance

Whether healthcare professionals process large quantities of personal data depends on the circumstances. According to official EU guidance, those circumstances include the number of patients involved or the proportion of patients in a geographical area, the volume of different data being processed, and the geographical extent of the processing.

Unless they band together and share a DPO, it may be difficult for small businesses to find someone suitable to take on the role, because the individual must be independent of management. However, pharmacy owners now have no choice but to get on and appoint someone suitable.

David Reissner is a consultant with law firm Charles Russell Speechlys LLP

Download PSNC’s GDPR guidance here, and read NPA chief pharmacist Leyla Hannbeck’s guide to what community pharmacists need to know about the regulations here.


Pharmacy Manager

Apply Now
Latest News & Analysis
See All



Ask The Analyst

Please Note: You can also Click below Link for Ask the Analyst
Ask The Analyst

Thank you for submitting your question. We will respond to you within 2 business days. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts