Getting to grips with GDPR – 1. Where do I start?

Getting to grips with GDPR – 1. Where do I start?

April 11, 2018

This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is the first in a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the  GDPR guidance and contractor workbook

The bad news is that the GDPR has been described as one of the most complex pieces of regulation ever produced by the European Union; the good news is that the PSNC, NPA, CCA, AIMp, RPS, CPPE and CPW, along with various representatives from contractors, have already got together to sweat it out and prepare guidance and a workbook for you to complete. If you do, it will go a long way to helping you comply with the GDPR and associated legislation.

The GDPR and its associated legislation applies to the processing of personal data, e.g. names and addresses, including special category personal data, e.g. data concerning health. It concerns the personal data of living persons – we’ll take that as read – primarily in filing systems. These are electronic or paper systems in which you can search people by set criteria, such as a name. Probably the single biggest consideration for community pharmacy is the processing of more than a billion prescription items annually and the associated electronic records held in Patient Medication Record (PMR) computer systems.

Before we go further, remember that while the GDPR is important, and it does change the way we consider data protection, it is not about pharmacy practice, life, the world and the universe!

There are two sets of rules that community pharmacies already comply with that I want to highlight because they interact with, but should not be confused with, the GDPR. These are:

  1. consent or agreement to the activity in question – for example, patients must give consent to you administering a flu vaccination or agreement to you dispensing a prescription as a part of pharmacy practice; and
  2. the common law duty of confidence (confidentiality) – patients can generally expect their health information not to be disclosed unless, for example, they consent to the disclosure (express or implied consent is acceptable here) or it is authorised or required by law or there is an overriding public interest.

There are some complexities around the interaction of these two with the GDPR work, but the key thing to remember is that while you generally won’t be using patient consent as a lawful basis for processing their data under the GDPR, it will remain important in these two other areas so you must continue to seek consent for services and protect confidentiality as you do now.

It’s sensible to appoint one person to lead on implementation of the GDPR. That person will bring it all together and make sure that not only is the Workbook completed, but that technical and procedural aspects of data protection are carried out in the community pharmacy and all relevant staff understand the GDPR to the extent required for their roles.

The bigger your business, the more likely it is that you’ll need some help and guidance on the GDPR from somebody who has expert knowledge of it and understands your business. You may indeed be required to have such a person by the GDPR – a Data Protection Officer (DPO). Guidance on the role of the DPO can be found here.

Whether all community pharmacy contractors will have to appoint a DPO is subject to debate, but if you do, you may need to share a DPO with other contractors, to keep costs to a minimum. The hope is that only large-scale community pharmacies will have to appoint a DPO. There is little guidance on what ‘large-scale’ means in practice, but what there is suggests that processing on the scale of a single practitioner is not large-scale, but processing on the scale of a hospital is. It is not clear where community pharmacy fits into this and we are seeking to resolve this urgently.

For more information and guidance on GDPR, please visit

Read the next instalment (2. Have a plan!) here.

Posted in: , ,

More Latest News >