Layer 1

'Pharmacies need to prepare now for new data protection regulations'

"The changes are significant – and pharmacies need to prepare now to comply with them"

Lawyer David Reissner considers what pharmacy owners need to know about new EU data protection legislation

The General Data Protection Regulation (GDPR) was adopted by the European Union in April 2016, and will come into force on May 25, 2018. The EU says the aim of the regulation is “to protect all EU citizens from privacy and data breaches in an increasingly data-driven world”.

Although many features of data protection law will remain the same, the changes are significant – and pharmacies need to prepare now to comply with them.

The GDPR will partly replicate and partly change our existing laws. So alongside it, in the UK, the Data Protection Bill – which is expected to have its second reading in the House of Commons in early March, on its way to being passed into law – will create new legislation designed to supplement the existing data protection provisions in the Data Protection Act.

In terms of how Brexit affects this, if you own a company that processes data about individuals in the context of selling goods or services to citizens in other EU countries, then you will need to comply with the GDPR – irrespective of whether or not the UK retains the GDPR post-Brexit.

If your pharmacy’s activities are limited to the UK, then the position after the initial Brexit period is much less clear – although the UK government has indicated it will implement an equivalent, or alternative, legal mechanism.

What will happen under GDPR?

Under GDPR, pharmacy owners will become data “controllers” – the people who decide what patient information to process and how to process it. As data controllers, pharmacy owners must be clear about the legal basis for processing patient data – which includes collecting, recording, retrieving, consulting and using data.

In many cases, the legal basis will not be a patient’s consent, because processing will be lawful if it is necessary for the purposes of administering healthcare or treatment to that patient. But to rely on this purpose, the data must only be processed by, or under the responsibility of, a pharmacist or a registered pharmacy technician.

If a pharmacy owner – the controller – relies on consent as the legal basis for processing patient data, they must be able to show that consent was given explicitly, either verbally or in writing, and that any information given by the controller to the patient to inform their decision was given in language that was clear, concise and easily accessible.

The consent must be for a single, specific purpose, and when giving it, the patient must have been informed of their right to withdraw consent – which must be as easy as giving it in the first place. If these requirements are not met, the consent will not be valid.

New responsibilities

A key change in the law is that it will require all controllers to appoint a data protection officer (DPO), whose contact details must be published. This person’s responsibilities will include:

  • Monitoring the pharmacy’s compliance with GDPR and with procedures
  • Being a contact point for all patients with data protection issues, including reporting breaches to the Information Commissioner’s Office
  • Informing and advising pharmacy staff of their data protection obligations
  • Monitoring assignment of responsibilities and awareness training.

The DPO should not be someone who makes decisions on how data is to be used, because this could give rise to conflicts of interest. They should have direct access to a company’s board [where there is one], and they may not be dismissed or penalised for carrying out their responsibilities.

In the event of a data breach – such as accidental or unlawful loss, or illegal disclosure, of personal data – the DPO must report this to the Information Commissioner’s Office within 72 hours. It may also be necessary to notify any patient who is affected.

What could happen if pharmacies fall afoul of GDPR? The consequences of a breach include:

  • Courts can award compensation for distress or financial loss
  • Fines of up to €20 million, or up to 4% of a pharmacy’s turnover.

David Reissner is senior partner at law firm Charles Russell Speechlys LLP


Mohammed Patel, Community pharmacist

Very interesting that data protection is being mentioned at exactly the same time as the GPhC inspectors are highlighting patient confidentiality as a recurring issue.

If pharmacists and pharmacy managers were not under such incredible pressure on a day-to-day basis, they would have enough time to audit their departments on such issues.

Leon The Apothecary, Student

David, do you have any information you could share about the new "Right to be Forgotten"?

David Reissner, Senior Management

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances, such as when the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. In addition, if the basis for processing data is that the patient has consented, the patient has the right to withdraw consent, in which case, the data must be disposed of/deleted.

N O, Pharmaceutical Adviser

Hi David,

Could you elaborate on the DPO role, for a small independent Pharmacy, where the Owner Pharmacist is the whole and sole of that Pharmacy??

Thanks in advance.

David Reissner

GDPR says that DPOs should be able to perform their duties in an independent manner, so it should not be the pharmacist owner who is also the controller.  However, GDPR doesn't require the DPO to be an employee and it allows controllers to share a DPO, so pharmacist owners could group together.  I think the NPA may intend to help with this, so if you are a member, you may want to ask.

Job of the week

Pre-registration Pharmacists
West London, Surrey, Hampshire, Ken
On application