By Jagdeep Rai, Head of Medical Affairs (UK & Ireland), Bayer
GDPR was established to provide greater protection for personal data and to give more rights to data subjects. To comply, pharmacies must ensure that their customers’ personal data is treated lawfully.
The key principles include: being transparent on what data you hold; what you will use it for; how it will be stored and processed and how long you will keep it for; having a legitimate basis for processing; ensuring data security; minimising the amount of data you hold, so you only keep the necessary details for an appropriate amount of time; and keeping records accurate and up to date. These principles offer a best practice framework for the confidentiality and data protection of customers’ personal data.
There are well publicised penalties for non-compliance, ranging from fines to bans on data processing. Crucially for pharmacies, there is also reputational damage to consider. Customers trust pharmacists with personal health information and expect that their data will be used properly and kept secure.
Information relating to an individual’s mental or physical health qualifies as ‘special category data’ (formerly ‘sensitive personal data’), and is subject to increased protection measures, as it is considered more sensitive and personal in nature. Our new Business Fit for the Future training module includes guidance on keeping up to date records and IT systems to make sure technology is working with you, rather than against you, when it comes to GDPR.
GDPR requires anyone processing personal data to take steps to ensure data is secure and that records are maintained properly. This includes training staff so they’re all aware of their responsibilities, encrypting data, ensuring the confidentiality and integrity of the systems you’re using (this means keeping your IT systems up to date so they can’t be easily compromised) and establishing a process to test and evaluate security regularly.
Appointing a member of staff to be responsible for overseeing your GDPR projects is essential. It’s good to have someone who understands the requirements who can fulfil any specific obligations related to GDPR. Given we’re over a year in, it’s easy to push GDPR to the back of your mind, but regular monitoring and risk assessments of the personal data you keep will help make sure you’re up to speed and remain compliant.
The information you give to individuals about the handling of their personal data, for example in privacy notices, is important. Make sure notices are written in simple language that can be easily understood and display them prominently instore and on your website (if you have one). But take care with direct marketing. You need to make sure you have a record of a customer’s explicit consent to receive unsolicited marketing materials, such as communications about the services you offer.
Different information is subject to different guidelines – the important thing is not to hold information ‘just in case’. GDPR requires that you keep personal data only for as long ‘as is necessary’. The recommendation on archiving a PMR, for example, is 10 years after the death of the patient. At this point, the relevant personal data you hold should be deleted or destroyed.
To make sure special category patient data is held properly, look out for companies that are not based in the EU – there are additional checks that must be made if the data is leaving the European geographic area. If this is the case, you should also tell your customers. Make sure to have assurances that internet connection and electronic NHS systems don’t compromise data security, and that all data will be stored securely.
Contracts should include instructions from you, as the data controller, about how personal data will be processed, and how providers will assist you to comply with GDPR regulations. They should also state that suppliers will not engage third parties to process data without your explicit written consent.
High profile breaches in data security in the past has led to some caution among customers. This could, however, be an opportunity for local community pharmacies to prove how robust their processes are, and the high value they place on their customers’ personal data.
One final thing: don’t bury your head in the sand. Dedicate some time to reviewing your processes regularly.