Businesses throughout the country are gearing up for the biggest shake-up in European data protection in years. The General Data Protection Regulation (GDPR) builds on businesses’ existing responsibilities under the Data Protection Act (DPA), as well as adding new ones specifically designed for our increasingly linked-up economy. It’s important to note that the UK’s participation in the updated regulation is in no way affected by the vote to leave the European Union.
Community pharmacy representative bodies such as the Pharmaceutical Services Negotiating Committee (PSNC) have been stressing for some time that our sector is no different from any other. “Pharmacies keep personal data related to the dispensing of patients’ prescriptions and other services,” says Gordon Hockey, director of operations and support, “so every pharmacy in the UK must ensure that as of 25 May it is fully GDPR-compliant.”
What do the changes mean for community pharmacy and what do businesses need to do to ensure they’re up to scratch by the deadline?
GDPR is aimed at making data protection laws fit for purpose in the era of so-called big data. Commentators say that existing laws were drafted at a time when data was largely held neatly in structured databases. In an era when unstructured electronic information, such as emails, travels across the globe in an instant, these laws no longer suffice. And the sheer volume of data being produced eclipses what has gone before. According to legal and accountancy firm Oury Clark, more data has been created over the past two years than in the entire history of the human race.
The regulation seeks to improve how businesses safeguard personal data and how they keep documented evidence of this protection. It covers things such as the rights people have with regard to their data, how organisations obtain their consent for using that data and where responsibility for data protection compliance sits within an organisation.
The Information Commissioner’s Office (ICO), the UK’s independent authority for upholding information rights, advises that all key individuals in an organisation are aware of the changes coming with the GDPR, saying they “need to appreciate the impact [the legislation] is likely to have and identify areas that could cause compliance problems under the GDPR”. The ICO also has a word of advice for those implementing the changes: “You may find compliance difficult if you leave your preparations until the last minute.”
NPA chief pharmacist Leyla Hannbeck described the GDPR as going “one step further” than the current requirements under the DPA, speaking at 2018's Sigma Conference in Borneo. For example, the obligation to document any personal data held, where it came from and with whom it is shared as outlined in the GDPR is not new. What is changing, according to the ICO, is the degree to which rights are being updated for a “networked world”.
Documenting data is something health organisations often struggle with, says the ICO. “Whether at large NHS hospitals or small private dentists, we often see ineffective logging, tracking or movement of manual records,” it says. DPA breaches have included care home records being found in derelict garages.
The GDPR upholds the existing requirement to ensure procedures are in place to detect, report and investigate any personal data breaches, and introduces a duty on all organisations to report certain types of data breach to the ICO and, in some cases, to individuals.
The GDPR deals with the various bases on which an organisation is permitted to process an individual’s data. One basis for processing data that has generated a lot of discussion is consent. The regulation has been described as setting a high standard for obtaining an individual’s consent. “It is very important that the entire team is aware of data protection and individual rights and consent, because they will be having an important role to play here,” Ms Hannbeck told the Sigma conference. “You need to have robust consent activity in your pharmacy.”
According to the ICO, organisations might also need to implement new procedures to cope with new developments regarding transparency and individual rights. This is especially relevant for large or complex organisations where new requirements “could have significant budgetary, IT, personnel, governance and communications implications”, says the ICO.
The GDPR also brings with it increased penalties for breach of obligations, with maximum fines as high as €20 million (£18 million), a big leap from the current maximum fine for organisations of £500,000.
The GDPR states that organisations should designate someone to be responsible for data protection compliance and to consider whether they should formally designate a data protection officer (DPO). This is the “most problematic issue” for contractors, says the PSNC.
“Larger community pharmacy businesses must appoint a DPO, but smaller pharmacies ought to be able to avoid this requirement,” says Mr Hockey. “However, as the new UK Data Protection Act currently stands in draft, all pharmacies will have to appoint a DPO. We, with other representatives of primary care contractors, are opposing this.”
The PSNC has said it was working to “limit the number of contractors who must appoint a DPO and, if this is unsuccessful, to ensure the guidance on DPOs is applied pragmatically to community pharmacy”. Ms Hannbeck says it is a near certainty that pharmacies will be required to have a DPO and advises contractors to act accordingly.
Many of the rights people have regarding their data under the GDPR are the same as with the DPA, but it’s still worth businesses checking their procedures and whether they are equipped to enforce all of these rights. One new addition is the “right to data portability”, which allows individuals to obtain and reuse their personal data for their own purposes across different services, potentially significant at a time when we hear more of linked-up health services.
“The GDPR permits the flow of personal data when required for the performance of tasks in the public interest, with various caveats and protections,” says Mr Hockey. “This should allow community pharmacy to be more integrated with the rest of the NHS.”
The GDPR steps up the requirement to keep people informed about how their data is used. As well as the existing need to say who you are and how you use information, you will need to explain other things such as data retention periods and information must be provided in concise, easy-to-understand and clear language.
A worrying report from the Federation of Small Businesses in February found that just 10 per cent of small businesses in the UK were fully prepared to comply with the GDPR, and there are concerns in the community pharmacy sector that some contractors could reflect the national trend of unpreparedness.
However, Bristol pharmacist Mithun Makwana says he has every confidence in his business’s data management processes. “We do follow the current Data Protection Act properly,” he says. “We have information governance already implemented and so on, but we might have to do just a few things differently. I feel confident in our approach to data management and don’t think we’ll have to do much extra stuff, but I do know that the penalties can be severe, so we obviously want to avoid that.”
“We are just about to issue guidance on the GDPR, which has been developed with a cross-sector working party from community pharmacy,” says Mr Hockey. “This will include a workbook for contractors to complete to assist GDPR compliance. Pharmacies are subject to considerable information governance requirements already, but there is still some work to be done.”
Mr Hockey concludes that the GDPR is a positive thing for the sector. “Yes, community pharmacy has always taken a decisive approach to data management and this is important for the security and confidentiality of patient information,” he says. “The GDPR should further improve this.
PSNC’s top tips
PSNC director of operations and support Gordon Hockey advises contractors to complete the committee’s workbook and follow the 13 steps within it, which are listed under the mnemonic DATAPROTECTED.
1. Decide who is responsible
2. Action plan
3. Think about and record the personal data you process
4. Assure your lawful basis for processing
5. Process according to data protection principles
6. Review and check with your processors
7. Obtain consent if you need to
8. Tell people about your fair processing notice
9. Ensure data security
10. Consider personal data breaches
11. Think about data subject rights
12. Ensure privacy by design
13. Data protection impact assessment.
NPA chief pharmacist Leyla Hannbeck on the organisation’s efforts to get the sector up to speed
Q. What progress has there been to date? Are pharmacists up to speed?
A. The GDPR is a big topic and the deadline is approaching quickly. Unfortunately, there are still a lot of pharmacists out there who are not aware of what it means for their business, so we are working hard to ensure there is relevant documentation and templates and guidance documents available for them to access. I will be sending loads of information to pharmacist superintendents in terms of GDPR, what it means for their business, what support is available for them, what is different from the DPA. We will also be doing face-to-face events throughout the country to educate the workforce.
Q. Are there any particular areas that are challenging for pharmacists?
A. There will be a lot more public awareness about what personal data is and how it is handled. The ICO has been advertising in various different media to say that this regulation is coming into effect in May, so the public are aware of their rights and will expect us to enforce them.
The second thing is that there is a role for everyone in the pharmacy in terms of making sure everyone is aware of what it means and what happens if a breach occurs, and really, how to handle personal data in a community pharmacy setting. It’s important that everybody in the team is aware of it and of the requirement for a data protection officer. It’s almost certain that there will be a requirement to have a DPO in pharmacies. It will be a case of making sure that every pharmacist is aware of what they need to do.
There is a lot of conflicting information out there about DPOs and GDPR. I would encourage everyone to come via the NPA because we have various resources available and accurate information. Come to us with any questions. There are templates available, and it’s not a scary topic. There is a big requirement for pharmacy to comply because of the sheer volume of data we manage on a day-to-day basis.
Q. Will being forced into data management be a good thing for pharmacy?
A. Of course. It’s all about data, and it’s not just about the data we manage within our pharmacies. It’s third parties whom we share data with. Are we happy that those third parties are complying with GDPR? It’s an important topic for people to be aware of, especially in the healthcare sector, because of the volume of data and the fact that we work with third parties. Also there are areas where there could be a significant breach, such as patient data going missing, prescriptions going missing, things like that, so it’s important to know what the next steps are if a breach happens. People will need to start educating themselves.