Getting to grips with GDPR – 12 and 13. Data protection by privacy and design and the Impact Assessment

Getting to grips with GDPR – 12 and 13. Data protection by privacy and design and the Impact Assessment

May 18, 2018

This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

Data protection by design and default is all about processing personal data more safely and more securely, with the minimum risk to the individuals concerned, as well as about making sure this is the thinking for any new project.

Let’s take pseudonymisation as case in point. Pseudonymisation is suggested as an appropriate technical measure to reduce the risks for data subjects and it is likely that you are already doing this to some extent. For example, those dealing with your accounts may not see patient details. Also, if you capture and submit records through a Local Pharmaceutical Committee (LPC) to a Local Authority or other commissioner, it is likely that the patient records are pseudonymised as they are processed by the LPC.

That’s all about improvement, but what about your current processing? The GDPR requires that organisations undertake a Data Protection Impact Assessment (DPIA) where their processing presents a high risk to the rights and freedoms of individuals. Template M of the GDPR Workbook helps you consider which pharmacy activities may require a DPIA, and any assessment should be carried out with the help of your Data Protection Officer (DPO). In some cases, you must carry out a DPIA and examples of such scenarios are highlighted in Template M.

Community pharmacies processing data concerning health on a large-scale must carry out a DPIA. However, the interpretation of large-scale is unclear. Accordingly, we recommend that all contractors complete a DPIA as part of their preparations for GDPR compliance and a model DPIA is attached below to be used in addition to the GDPR Workbook.

PSNC’s model Data Protection Impact Assessment (DPIA) for community pharmacy contractors

For more information and guidance on GDPR, please visit

Posted in: , ,

More Latest News >