In Legal

Follow this topic

Bookmark

Record learning outcomes

Richard Hough and Eleanore Beard explain what the Digital Omnibus Package proposes and why it matters to the independent pharmacy sector…

A sweeping overhaul of European Union data law is likely on its way, and while the UK has left the EU, pharmacies that handle EU-based patients’ data, use EU digital platforms, or are exploring AI-supported tools cannot afford to look away.

On November 19, 2025, the European Commission published the Digital Omnibus Package, which is a wide-ranging set of proposals designed to simplify and harmonise EU digital laws, including the General Data Protection Regulation (GDPR), the EU AI Act, and the Privacy and Electronic Communications Regulations (PECR).

The stated aim is to reduce regulatory complexity, cut compliance costs, and foster innovation across the EU's digital economy.

For pharmacy businesses operating entirely within the UK, it might be tempting to file this under 'not our problem', which would be a mistake.

While the UK has now taken its own legislative path through the Data (Use and Access) Act (DUA Act), which amends and reshapes aspects of the UK GDPR and the Data Protection Act 2018, reform of the UK data protection framework is likely to be ongoing.

Many pharmacies, particularly those which offer digital consultation services, online prescribing platforms or operate complex supply chains, are already exposed to cross‑border data flows and commercial relationships with EU‑based suppliers, technology providers or partners.

The proposals emerging from the EU signal the broader direction of travel in data regulation and governance. Historically, EU frameworks have played a significant role in shaping subsequent UK reforms, and further developments at EU level may yet influence how the UK regime continues to evolve.

For pharmacy businesses, this is not simply a question of formal compliance, but of future‑proofing systems, contracts and data governance arrangements in an increasingly complex regulatory landscape.

The proposals

The Digital Omnibus proposes changes that go to the heart of how personal data is defined, when it can be processed, and how compliance burdens are managed.

Perhaps the most significant proposed change to EU GDPR is a narrower definition of personal data. Under the proposal, data will only be treated as personal where there is a 'reasonable likelihood' that the individual can be identified.

This reflects a recent Court of Justice of the EU ruling, which confirmed that data held in a form where the holder lacks any realistic means of identifying the individual falls outside GDPR's scope entirely.

For pharmacies, this has real practical relevance. Pseudonymised data which is used in clinical audits, service evaluations, or dispensing analytics may, depending on the circumstances, no longer attract the same compliance obligations as fully identifiable patient records.

If they succeed in changing the definition of personal data, guidance on how to assess this will follow and pharmacy teams will need to understand where that line falls.

Meanwhile, the Information Commissioner’s Office (ICO) has recently re-enforced the need for pseudonymised data to continue to be treated as personal data and highlighted the need to maintain adequate security measures for all pseudonymised data.

Special category data

Health and medication data is special category personal data. It always has been, and the Digital Omnibus does not change that fundamental position. What it does propose, however, are two new exemptions that could affect how pharmacies and those supplying them with technology manage that data.

The first would permit the processing of biometric data for identity verification, where the verification mechanism is entirely under the control of the individual concerned.

The second exemption, which is even more significant for the sector, would create a limited lawful basis for processing special category data in the development and operation of AI systems and models, subject to strict conditions and safeguards.

As pharmacies increasingly explore AI-supported dispensing tools, clinical decision support, and patient triage technologies, understanding the precise boundaries of that exemption will be essential.

The conditions are not yet finalised, but one thing is clear: AI and health data are on a collision course with regulation, and pharmacy businesses need to be ready.

Access requests

Pharmacies are well acquainted with data subject access requests (DSARs). Patients regularly request their dispensing records, and managing those requests takes time.

The Digital Omnibus proposes a clarification that would allow controllers to refuse DSARs that are clearly made for purposes unrelated to data protection, for example, where a request appears to be driven by litigation strategy rather than a genuine privacy concern.

This reflects a debate that has been running for some time about how DSAR rights can be misused, and the proposal offers some relief to organisations that have been on the receiving end of vexatious requests.

The threshold for refusal is likely to remain high, and any decision by a pharmacy to decline a DSAR will need to be carefully considered and documented.

Cookie compliance

For pharmacies running patient-facing websites, online consultation platforms, or repeat prescription ordering services, the proposed changes to cookie consent rules deserve attention.

Currently, the requirement to obtain consent through pop-up banners and layered notices creates friction for users and a compliance headache for operators.

The Digital Omnibus seeks to streamline this significantly, reducing the volume of consent prompts and simplifying how valid consent is captured.

The aim is to make digital engagement easier for patients and compliance more manageable for businesses. How the detail will land in practice remains to be seen, but the direction is one that many in the sector will welcome.

Reporting and AI

Two further changes are worth flagging. The Digital Omnibus proposes a single, unified reporting mechanism for both cybersecurity incidents and personal data breaches, supported by standardised templates.

For pharmacies, which are increasingly targeted by ransomware and phishing attacks, the prospect of a simpler, more consistent reporting framework is a positive development, provided the timelines and obligations are clearly set out.

On AI, the proposals extend compliance timelines for high-risk AI systems, scale back mandatory registration requirements for certain systems, and simplify conformity assessments, particularly for smaller operators.

There is also a proposed new legal basis for processing special category data specifically to detect and correct bias in AI systems. As NHS and private sector deployments of clinical AI expand, these changes will have direct implications for any pharmacy investing in or using AI-powered tools.

What pharmacies should do

It is important to note that the Digital Omnibus is still at the proposal stage. There are already rumblings of discontent within the European Board of Data Protection and other organisations who have indicated that the changes could weaken data protection rights and create legal uncertainty.

A public consultation will follow, and the detail may well change before it becomes law. But the scope of what is being proposed is significant, and waiting until after the legislation comes into force is not a sensible approach.

Pharmacy owners could however take this opportunity to check their compliance with current UK GDPR standards, as amended by the DUA Act.

Pharmacy owners and superintendent pharmacists should review their records of processing activities now, paying particular attention to how patient data, including pseudonymised data used for audit, research, or analytics, is currently classified and protected.

Those exploring or already deploying AI tools, whether for dispensing support, patient communication, or clinical triage, should ensure that data protection impact assessments are in place.

DSAR procedures should be reviewed to ensure they are robust, well documented, and capable of distinguishing legitimate requests from those that may be open to challenge.

Cookie and ePrivacy compliance on patient-facing digital services should be assessed, and staff training on data protection responsibilities should be documented and kept current.

Protecting patient data is not simply a compliance obligation, it is a professional one. The Digital Omnibus may be an EU initiative, but the questions it raises about how health data is managed, shared, and protected are questions every pharmacy business in the UK should already be asking.

Richard Hough is a partner and head of healthcare at Brabners LLP and a former pharmacist. His co-author Eleanore Beard is a legal director at Brabners with expertise in data protection.