Laura Reed, head of professional development at Numark, gives you the heads up on preparing for the introduction of the EU General Data Protection Regulation (GDPR) this May.
The EU GDPR will come into force on 25 May 2018 and will apply in the UK irrespective of Brexit. Pharmacy owners should be starting to review their current data protection arrangements to ensure they comply, particularly as the GDPR has the potential for far greater enforcement penalties than the current laws.
In particular, business owners will need to ensure that they have consent to process employee data, as consent obtained in an employee’s contract is unlikely to be effective under the GDPR. You should
also ensure that you have a data breach response plan, as the GDPR requires mandatory breach reporting.
Increased fines for breaches: the Information Commissioner’s Office (ICO) will have greater powers to impose fines as high as €20 million (or 4% of a company’s annual global turnover ). Currently the ICO has powers to fine organisations up to £500,000.
Data Breach Notification: Under the GDPR you will need to notify the ICO of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.
Data Protection Officers (DPO): The GDPR will require some organisations to designate a DPO. The important thing is to ensure that a named individual in pharmacy business takes proper responsibility for compliance and has the knowledge, support and authority to do so effectively.
Greater control for data subjects: Data subjects whom the pharmacy holds / or processes personal data on have the “right to erasure”, also known as the “right to be forgotten”. This gives patients the right to direct the pharmacy to erase any of their personal data in certain situations.
Pharmacy contractors are encouraged to consider and familiarise themselves with their obligations under the GDPR to determine any compliance gaps that need addressing in their standard operating procedures and other policies for when the GDPR goes live.
In summary you will be required to:
Read through the information on getting ready for GDPR at https://ico.org.uk/for- organisations/resources-and-support/data- protection-self-assessment/getting-ready- for-the-gdpr/ to identify areas of concern and put together an action plan.