The legislation regulates the processing of personal data relating to individuals by an individual, a company or an organisation.

The owner of the pharmacy business - the data controller - and the directors and officers (senior staff) of the business have responsibility for data protection in the pharmacy and the implementation of the legislation.

Pharmacy owners should consider scheduling regular reviews of data held and ensure they have the means to identify who has accessed data.

They should also audit when data has been accessed, looking out for any potentially inappropriate access. The superintendent pharmacist, Information Governance (IG) lead, or other person employed or engaged by the pharmacy business may have specific responsibilities for data protection and implementation of the GDPR.

The pharmacy team must have training about Data Protection and Information Governance, appropriate to their role.