The General Data Protection Regulation (GDPR) – which comes into force on May 25 – requires “public authority organisations” to appoint a data protection officer (DPO) to advise on data protection obligations and be the point of contact for patients and authorities about related issues.
The Pharmaceutical Services Negotiating Committee (PSNC) warned last Friday (May 11) that despite lobbying attempts by itself and the NPA to scrap the requirement for smaller pharmacies to appoint a data expert, “we now find ourselves in the position that we must advise contractors to appoint a DPO”.
NPA: “No appreciable benefit”
NPA head of parliamentary affairs Chris Ford warned that the DPO requirement “will place yet another administrative obligation on the sector”.
As part of its lobbying efforts, the NPA said it wrote to pharmacy minister Steve Brine in February “to outline the case for pharmacies to be exempted”, Mr Ford told C+D.
The NPA is “disappointed” that the government has taken this stance despite the organisation’s proposal securing “the support of the Liberal Democrats, Labour and a number of Conservative backbenchers”, he added.
“We will continue to ask for exemptions to be found through regulation,” Mr Ford said.
“But if it is the government's intention to create costly and time-consuming red tape for our members for no appreciable benefit, then it is a fair expectation that they bear the full cost of this in contract negotiations.”
According to guidance from the Information Commissioner’s Office (ICO), “in some cases, several organisations can appoint a single DPO between them”.
However, NPA chief pharmacist Leyla Hannbeck said: “It is important to consider if one DPO can realistically cover a collection of organisations.”
Pharmacies “should ensure the DPO has the necessary resources in place to undertake their role and be supported as appropriate”, she advised.
Noel Wardle, partner at law firm Charles Russell Speechlys, said: “It may be that data protection experts will offer DPO services as a form of consultancy, or this could be organised at local level; for example, through local pharmaceutical committees.”
Pharmacy owners remain accountable for data protection and failure to comply to obligations in relation to DPOs could mean facing a fine of up to €20 million or 4% of the business’s turnover, Mr Wardle said.
Read more about the EU requirement and what is involved in being a DPO here.