This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

Community pharmacy contractors, as data Controllers, must process personal data in accordance with the principles of the GDPR (Article 5 (1)), which, in brief, are:

1. processed lawfully, fairly and in a transparent manner;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Broadly, these are the same as the current data protection principles. What is different is the ‘accountability principle’ – that the data ‘Controller shall be responsible for and be able to demonstrate compliance’ with these principles (Article 5(2)). This is the one of the fundamental shifts with the new legislation, you must not only comply but show that you are complying. Showing you comply has been good practice for a while; after 25th May 2018, it will be mandatory.

Completion of the GDPR Workbook is part of what you need to do to demonstrate compliance with the data protection principles. Equally important is that the Workbook is used to record data breaches and subject rights, or subject access requests and that data protection and security is a part of your ongoing work, as is compliance with any other legal requirement.

We said in the Guidance for Community Pharmacies: Completing the Workbook for Community Pharmacy will help you demonstrate you are complying with the data protection principles. This is referred to as the accountability principle and is part of the GDPR’s shift from a reactive to proactive approach to data protection.

Having appropriate procedures, including the Workbook, is important. It will even more important if somebody complains about you. In the past, often a data Controller’s response to a compliant was to apologise and assure the Information Commissioner’s Office (ICO) that they would put in place data protection procedures to avoid a repeat. After 25th May 2018, simply offering to introduce procedures will be too late. They should have been there already, for you to demonstrate compliance with the accountability principle.

For more information and guidance on GDPR, please visit psnc.org.uk/GDPR

Read the next instalment (6. Review and check with your processors) here.