The General Data Protection Regulation (GDPR) will be enforced in Europe on 25 May to ‘harmonise data privacy law across Europe, protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy’.
Data protection already affects contractors, as pharmacies process personal data such as prescriptions information and advanced services.
GDPR is an evolution of the existing law and builds on the work contractors already do. It’s a ‘step change’ – what was best practice becomes mandatory.
While guidance is still being issued, The Pharmacist outlined the 13 steps contractors should take to comply with GDPR, as explained by Pharmaceutical Services Negotiating Committee (PSNC) director of operations and support Gordon Hockey during the negotiator’s webinar on GDPR.
All templates mentioned can be found in the community pharmacy GDPR Working Party guidance.
For steps 1-7 of this guidance, see Your step-by-step guide to GDPR compliance: part 1 here
STEP 8. Tell people about processes: the privacy notice
You don’t have to process data under consent but the key principle of GDPR is the provision of clear information to people about how their data are used or ‘processed’, how long they’re held for and why.
This could be provided in the form of a Privacy Notice, which must be available in the pharmacy premises and online and draw customers’ attention.
If you carry out additional work, you will need to add this to the privacy notice.
What to do next? Complete template G and make sure that your notice is available in the pharmacy premises and online and that staff knows how to access it and when they should show it to patients.
STEP 9. Ensure data security
A lot of the previous templates from the IG workbook listed here relate to data security.
The GDPR requires anyone processing personal data to take steps to ensure data security, in terms of physical (building), electronic (mobile, computing guidelines and disposable) and human (confidentiality) securities.
You might want to talk to your PMR suppliers and train your staff on personal data security.
What to do next? Complete template H, seek assurances from your providers, if necessary, and train staff on security of personal data.
STEP 10. Consider personal data breaches
This is a new area. There are two updated templates, one considering data approaches and the other one looking at how to record data breaches.
You must record all data breaches, for example if you lose a prescription in a public place or disclose data to the wrong person.
Reporting data breaches must be done as soon as possible, if there is a high risk to the rights and freedom of the patients or the data is not encrypted, and within 72 hours for the ICO.
It is recommended to encrypt data to avoid inadvertent breaches.
What to do next? Complete template I, which is an update of the Information Security Incident Management Procedures currently in template 11 in the PSNC IG templates, and keep a copy of template J, in case of data breach.
STEP 11. Think about data subject rights
There is no charge for subject access requests in general cases.
You must be ready to respond to any requests from data subjects. The requests may come from people who want to know about the way you process data.
You need to show that you comply with the legislation, which is different from complying.
Make sure you know patients and customers rights whose data are held within the pharmacy.
In rare cases – when someone raises an objection – you might have to delete their record.
What to do next? Have a look at template K.
STEP 12. Ensure privacy by design and default
Under the GDPR, considering data protection by design and default is a legal requirement.
Ask yourself the following questions:
- Can I protect patients’ rights better with the systems I’m using?
- Can I pseudonymise data rather than having patient names?
- Can I use encryptions?
- What are the ways in which I can minimise risks in the systems I have?
Ensure that your IG lead and other people involved in the IG, including the DPO where applicable, consider privacy by design and default.
What to do next? Use template L to record your pharmacy’s relevant activities.
STEP 13. Data protection impact assessment
The GDPR requires a data protection impact assessment (DPIA) to be carried out for certain data processing activities – which includes healthcare data – where there is a high risk to the rights and freedoms of individuals. The DPO, where applicable, can help you do this.
Exemptions apply where data is processed to meet legal requirements, in the performance of a task in the public interest or where an assessment was previously carried out.
While we are still awaiting ICO guidance, PSNC believes that smaller pharmacies will not have to carry out a DPIA for normal dispensing practices.
However, be aware that all pharmacies will need a DPIA when introducing any new technologies, such as a dispensing robot, as something major means greater risks.
The DPIA’s goal is to make you think about risks and how to minimise them.
What to do next? Use template M to find out which activities may require a DPIA.
Overall, you should:
- Complete the workbook
- Be in touch with your PMR supplier and other processors
- Put up your Privacy Notice, add anything relevant to it and keep it simple, brief and clear
- Be ready for subject access requests and train your staff
- Be prepared to record and deal with any data breach and think about staff training.
- Not be frightened!