General Data Protection Regulations (GDPR) will apply in the UK from 25 May, 2018, irrespective of Brexit. NPA chief pharmacist Leyla Hannbeck looks at the implications for pharmacy
As a rule of thumb, if your organisation needs to comply with the Data Protection Act, then it will need to comply with GDPR. But GDPR will introduce new elements and significantly enhanced requirements regarding data protection.
GDPR and DPA responsibilities are similar but the most signifi cant new addition is the ‘accountability principle’ requiring organisations to demonstrate they comply with GDPR principles. Organisations will need to maintain records of data processing activities. GDPR applies to ‘personal data’ but the definition is more detailed than the DPA. It even suggests an IP address can be ‘personal data’. The new definition reflects changes in technology and the way personal information and personal identifiers are harvested.
The key areas to consider are: lawful processing of personal data; consent; and children’s personal data.
Under the GDPR, all individuals have the following rights: to be informed; to rectifi cation; to erasure; to restrict processing; to data portability; to object; to access; and in relation to automated decision-making and profiling.
This will be a new duty to report certain types of data breaches to the Information Commissioner’s Offi ce (ICO) and to the affected individual(s) in some cases. Failure can result in a fine, up to £10m or 2% of the organisations’ global turnover. More information is in the ICO resource: overview of the GDPR.
Top tips to prepare for the GDPR:
• Raise awareness within your organisation of the forthcoming changes, especially with key decision makers. Identify areas of concern. Implementation can impact on your organisational resources, both personnel and financial.
• Carry out an audit of all personal data held by your organisation, where it has come from, who it has been shared with.
• Identify your organisation’s lawful basis for processing personal data, document it and include it in the privacy notice.
• Review and update privacy notices to meet additional requirements under the GDPR. Explain the lawful basis for your organisation to process personal data, the data retention periods and the individual’s rights to complain to the ICO.
• Check whether your current procedures cover all the individual’s rights under the GDPR. Ensure they cover the right to delete personal data and data portability rights.
• Review and update procedures for subject access requests. Review how your organisation will handle requests to adhere to the new timeframes.
• Review how your organisation seeks, records and manages consent. Make required changes to comply with the GDPR – the ICO has published draft guidance on consent under the GDPR. The final guidelines will only be published by the ICO after the Article 29 Working Party of European Data Protection Authorities (WP29) has agreed its Europeside consent guidelines; this is expected to be December 2017. You can use the ICO’s draft guidance on consent for now until the fi nal version is published. Refresh all existing consent as required to comply with the GDPR.
• Start planning how to age-verify children’s ages and obtain parental/guardian consent to process children’s personal data.
• Review and update, if required, your organisation’s procedure on managing data breaches to comply with the GDPR.
• Appoint a Data Protection Officer (DPO), if required.
The NPA has produced an additional resource – General Data Protection Regulations: brief overview.
For further information call 01727 891800 or email email@example.com.