Laura Reed, head of professional development at Numark, gives you the heads up on preparing for the introduction of the EU General Data Protection Regulation (GDPR) this May.

The EU GDPR will come into force on 25 May 2018 and will apply in the UK irrespective of Brexit. Pharmacy owners should be starting to review their current data protection arrangements to ensure they comply, particularly as the GDPR has the potential for far greater enforcement penalties than the current laws.

In particular, business owners will need to ensure that they have consent to process employee data, as consent obtained in an employee’s contract is unlikely to be effective under the GDPR. You should
also ensure that you have a data breach response plan, as the GDPR requires mandatory breach reporting.

Key changes

Increased fines for breaches: the Information Commissioner’s Office (ICO) will have greater powers to impose fines as high as €20 million (or 4% of a company’s annual global turnover ). Currently the ICO has powers to fine organisations up to £500,000.

Data Breach Notification: Under the GDPR you will need to notify the ICO of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.

Data Protection Officers (DPO): The GDPR will require some organisations to designate a DPO. The important thing is to ensure that a named individual in pharmacy business takes proper responsibility for compliance and has the knowledge, support and authority to do so effectively.

Greater control for data subjects: Data subjects whom the pharmacy holds / or processes personal data on have the “right to erasure”, also known as the “right to be forgotten”. This gives patients the right to direct the pharmacy to erase any of their personal data in certain situations.

Pharmacy contractors are encouraged to consider and familiarise themselves with their obligations under the GDPR to determine any compliance gaps that need addressing in their standard operating procedures and other policies for when the GDPR goes live.

In summary you will be required to:

Read through the information on getting ready for GDPR at https://ico.org.uk/for- organisations/resources-and-support/data- protection-self-assessment/getting-ready- for-the-gdpr/ to identify areas of concern and put together an action plan.

• Carry out an audit of all the personal data you hold: review where it has come from and who it has been shared with. 
• Check your current procedures for individual access rights. Under the GDPR these have increased and include erasure, rectification and access. Subject access requests are now subject to 30 day turnaround and must be supplied free of charge. Data subjects also have the right to electronic copies of their data. 
• Review how you seek, record and manage consent. The use of pre-ticked boxes for opting in will no longer be acceptable. 
• Review and update your procedure on identifying, managing and investigating data breaches. Under the GDPR you have 72 hours to report a breach to the ICO and if the rights and freedoms of the individuals involved are at risk, they must also be informed of the breach. 
• Assign responsibility for data protection to a key member of staff or, if required, ensure you appoint a DPO. Employers are also expected to have trained their employees in data protection. 
• Make sure all members of staff are aware of the new regulations and their impact.