GDPR for pharmacies – what should you know and do?

18th May 2018

Notwithstanding Brexit, new data protection legislation in the form of the General Data Protection Regulation (GDPR) comes into force on 25 May 2018 updating current data protection law.

Neil Jones, director and pharmacy law specialist at Ansons Solicitors in Staffordshire, explains what pharmacy owners need to know and do when it comes to the new GDPR rules.

“Pharmacy owners particularly need to be ready for GDPR given that pharmacies hold and process special category data (broadly similar to sensitive personal data under the previous data protection laws) for patients and employees,” explains Neil.

What is the ‘GDPR’

Simply put, it is an update to data protection legislation, not a complete overhaul.

Hopefully you are already doing much of what is required as good practice anyway as many of the principles are not new.   The new legislation seeks to codify many of these and clarify the rights and obligations of each party involved in the data process.  ‘Personal Data’ is information from which an individual can be identified (including indirectly).

What does this mean for my pharmacy?

If you are a pharmacy owner, you will now be regarded as a ‘data controller’ (DC). DC’s are the people responsible for deciding the purposes and method of processing personal information and the DC’s responsibilities will include collecting, recording, retrieving, consulting and using the data.

As a DC you will require a lawful basis on which to hold and process anyone’s personal data.  This could be based on the consent of the person concerned but consent is not the only lawful basis.  This can either be express (written or verbal) or another basis as set out in the GDPR, which could include for the performance of a task carried out in the public interest or for the purposes of administering treatment to a patient. You should review your existing processing and consider which of the possible lawful bases are most appropriate to your business and then document them – it may not always be the same for everyone.

Getting consent does not permit the use of information for any purpose, just for the purpose for which consent was specifically given and consent can also be withdrawn by the individual at any time.

What if you do not comply?

Penalties are likely to relate to the specific circumstances at the time and would depend on the seriousness of the infringement, whether it was intentional, reckless or negligent, what steps were taken to mitigate the breach and the nature of the personal data at risk.

Fines can potentially be significant (up to €10,000,000 or 2% of businesses turnover if higher) and these thresholds can be doubled in certain circumstances (such as instances of non-compliance with any orders set out by the Information Commissioner’s Office (ICO)).

Equally, significant failure to comply could lead to legal action by the individual affected and reputational damage to your business.

So, what is new?

Fundamentally the principles of protecting data and information remain largely the same but where changes have been made business owners should pay attention.  For example, it is likely that each pharmacy will require a ‘data protection officer’ (DPO) on account of it being regarded as a public body. This person will be in charge of monitoring GDPR compliance, ensuring employees are carrying out their data protection obligations, training, reporting breaches to the ICO and being a general point of contact for patients. The business does not need to employ someone specifically for the role of DPO as this can be an existing employee.

What should I do now?

It is really a question of reviewing your existing roles and procedures as far as data protection is concerned.

Your DPO and all employees of the business must understand their obligations, so training updates may be appropriate and sensible (although not obligatory).  All employees will be responsible for compliance!

You will need to record how you hold, collect, store and use personal data contained in your filing systems (electronic or otherwise). You should also ensure that your data protection policies are up to date with GDPR and are well documented.   Remember GDPR is also relevant to personal data held about employees, not just patients.

Consider your PMR system.  Is appropriate data protection compliance in place here?  If your PMR supplier is dealing with your patients’ information you should seek an assurance that they are also compliant with their GDPR obligations.

Your patients need to be provided with clear information about how their data is being used and a form of notice would assist with this.

Also, be aware that some personal data breaches may need to be reported to the ICO within 72 hours and also to the people that have been affected by the breach if there is a possibility that their rights and freedoms could be at risk.  If you do not report a breach you will need to be able to justify that decision.


Overall, pharmacies have always been subject to enhanced data protection obligations by the nature of the people they deal with.  If anything, the GDPR only highlights the obligations of a pharmacy which hopefully are already being carried out. You should consider the following:

  • ensure everyone in your business is familiar with the new rules;
  • undertake appropriate training;
  • appoint a data protection officer;
  • ensure you are registered and paid up with the ICO;
  • ensure policies and procedures for data protection are up to date (including your lawful basis for processing and your special category condition);
  • check your contractors are compliant; and
  • promptly report any breaches.

This article is not meant to be exhaustive and summarises some of the key issues of the GDPR that need to be considered. For anyone who is unsure about the responsibilities, they should obtain further advice.

Ansons is a leading pharmacy sector specialist with experienced pharmacy solicitors covering the corporate and commercial, property and employment law aspects of any business.

For advice in relation to GDPR or on buying and selling a pharmacy, re-financing, relocating or otherwise, please contact:

Neil Jones on 01543 431 184; or

Jamie Gill on 01543 431 185

The contents of this article are for the purposes of general awareness only.  They do not purport to constitute legal or professional advice.  The law may have changed since this article was published.  Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.