This site is intended for Healthcare Professionals only

Business compliance

NPA Essential

Business compliance

The NPA has launched a resource to help contractors comply with a General Data Protection Regulation (GDPR) requirement to appoint a data ‘expert’ within the team.

The NPA has launched a suite of resources to help contractors comply with a General Data Protection Regulation (GDPR) requirement to appoint a Data Protection Of cer (DPO) for the organisation. This is the latest in a number of initiatives to support members to comply with the legislation that came into force on May 25 2018. It includes:

GDPR DPO guidance - providing an overview on the roles and responsibilities of the data controller, data processor and DPO.  GDPR DPO checklist - a template supporting the DPO to undertake their role helping the DPO give action/feedback to the data controller/processor on their compliance with data protection laws and relevant policies. GDPR definitions and quick reference guide: a go-to list of important de nitions and quick reference guide which can be used by the DPO to help raise data protection awareness to those in the organisation.

The NPA has been advising members of the requirement to appoint a DPO for a number of months.

Leyla Hannbeck, NPA director of pharmacy, said while she was hopeful that most pharmacies will be up to speed with the new requirements those that were lagging behind should not panic.

She said: “The DPO can be an existing employee of an organisation. Alternatively, the role can be contracted out externally. No specific training is required for the role; however, the Information Commissioner’s Of ce (ICO) has stated that the DPO should have expert knowledge of data protection law. According to the current ICO guidance, one DPO can be appointed for a group of companies or public authorities, as long as the appointed individual effectively performs the DPO tasks taking the size and structure of each organisation into consideration. However, it is important to consider if one DPO can realistically cover a collection of organisations. The organisations should ensure the DPO has the necessary resources in place to undertake their role and be supported as appropriate. If a DPO is shared by a group of organisations, the DPO must be easily contactable. The DPO’s contact details should be available to the employees of each organisation, the ICO and the individuals whose personal data is processed.”

To view all of the NPA’s GDPR resources, including two webinars, NPA members can visit

Copy Link copy link button

NPA Essential