close

Log in

Access to premium content is restricted to healthcare professionals / registered members. Login with your email address to continue.

Forgot Your Password?

Don't have an account? Sign up

This site is intended for Healthcare Professionals only

module menu icon

How to maintain a data privacy compliant culture

Introduction

What is a "processor"?

Customer and patient rights over their personal data

What do you need to do to keep data secure?

module menu icon Introduction

Good luck with the module!  (0% complete)

quiz close icon

module menu icon Introduction

Introduction

In GDPR legislation, “controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and the means of processing personal data.Your pharmacy is acting as a controller when it decides what data to collect and what the lawful basis for that collection is.

The controller has a number of obligations under data protection legislation, including compliance with data protection principles. As a controller, you have a responsibility to bestablish a compliant data privacy culture, to set up the relevant frameworks and ensure you are able to evidence your compliance with data protection legislation. When you are processing personal and special category data, you should:

  • Adopt data protection practices – this can include data protection by design and ensuring that you consider data protection at the preliminary stages of projects and new systems 
  • Implement appropriate technical and organisational measures to secure personal data (Article 32) – this covers the security measures you take to protect data, as well as a training and awareness programme, and ensuring that enhanced training has been delivered to specifically address the identified root causes of any breaches
  • Ensure you can facilitate individuals’ rights (Article 15 to 20) – you must be able to facilitate the rights and requests that people can make under data protection legislation; you and your employees must be able to identify these requests so that they can be escalated and there is someone who will deal with it
  • Provide transparency of information (Article 13 and 14) – when you collect data from an individual and when it is transferred from a third party, you should tell people about who you are and why and how you are processing their personal data
  • Ensure that you have the relevant contractual requirements with a processor (Article 28) - your legal contracts with any processors must have the required classes and you must be satisfied that the processor is adhering to data protection principles and acting on your instructions
  • Retain records of processing activities (Article 30) - this document provides you with an overview of what data you hold and process, and also where your data is stored, the security around it, whether it is transferred outside your business, what contracts or data sharing agreements are used, and the length of time you retain the data for

“The pharmacy is firstly accountable to the customers and patients whose personal data it processes, but it is also accountable to the Information Commissioner’s Office for any failures to protect personal data”

How to maintain a data privacy compliant culture

Continue Module