This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is the second in a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the  GDPR guidance and contractor workbook. 

Once you’ve started to get to grips with GDPR (see Part 1. Where do I start?), it’s important to have a plan and consider what needs to be done. The Community Pharmacy GDPR Working Party has developed a 13-step plan, followed by both the guidance and the workbook. The steps are set out in the form of a mnemonic – DATAPROTECTED – to help you to remember them, as follows:

1. Decide who is responsible
2. Action plan
3. Think about and record the personal data you process
4. Assure your lawful basis for processing
5. Process according to data protection principles
6. Review and check with your processors
7. Obtaining consent if you need to
8. Tell people about your processes: the Privacy Notice
9. Ensure data security
10. Consider personal data breaches
11. Think about data subject rights
12. Ensure privacy by design and default
13. Data protection impact assessment

If you follow this 13-step plan, this should assist you on your journey towards GDPR compliance.

Your plan you should also include staff training. Staff need to be trained appropriately to their roles and should understand the basics of data protection (knowledge they should have already) and be aware of the GDPR and some of its key issues for your pharmacy, for example:

• you have a lawful basis for processing data concerning health, a special category of personal data;
• you have a privacy notice and they need to bring this to the attention of new patients;
• data security is very important, and they are involved in this too (and exactly how);
• generally, subject access requests are dealt with without charge and within in one calendar month; and,
• there are new rules on dealing with data protection breaches and the Information Commissioner’s Office (ICO) may need to be informed of a breach without undue delay and at least within 72 hours of you first becoming aware of it.

Your registration with the ICO also remains important and you will need to continue to pay a fee to the ICO after 25th May 2018 (there are some exemptions from this requirement).

This has the feeling of a revision plan, which is perhaps appropriate as we head towards the summer exams for many students.

For more information and guidance on GDPR, please visit psnc.org.uk/GDPR

Read the next instalment (3 and 4. Your lawful basis for processing personal data) here.