Pharmacy and health care industry bodies lost their fight earlier this month to gain an exemption from requiring a Data Protection Officer (DPO) under GDPR and the UK Data Protection Act 2018.
The UK Data Protection Act 2018 and the GDPR state that businesses whose core function includes processing special category data (including health data) requires a DPO, regardless of the size of the organisation.
This is good news for customers, they will have an extra layer of confidence knowing their personal data is being managed in line with the law, but small pharmacies in particular will be hit hard with this news.
What is a DPO anyway?
The DPO is an independent data privacy expert who reports to the Board (or highest level of the business) and possesses legal knowledge and is ultimately responsible and accountable for the data privacy policies, processes and procedures.
They act as advisors to your business and ensure your business or practice is compliant with EU / UK data protection legislation. Because of the conflict of interest, this cannot be an owner of the business.
The concept of the DPO has been around for some time, but there are not a large number of people within the EU with the right level of experience to hold the post.
For smaller and independent Pharmacies, GPs surgeries and dental clinics in particular, this poses a high risk to business, either through non-compliance (choosing to ignore the regulation or appointing an unsuitable Data Protection Officer), or financially (hiring a DPO directly, or engaging an outsourced DPO service).
Fortunately, both EU and UK data protection legislation allows for groups of similar businesses to be represented by a single DPO in certain circumstances. Pharmacy and medical industry groups should encourage their members to pool resources together, and save on fees.
How do I get in touch to discuss this?
For more information, please contact us on +44 203 934 1099, or email firstname.lastname@example.org to hear more about our service and see if we can help.