Latest News

GDPR - Action required: Updated advice regarding Data Protection Officers

Monday, May 14, 2018


Following campaigning by national Pharmacy and healthcare bodies for an exception to the requirement for a DPO for smaller pharmacy businesses, the Minister for Digital and Creative industries Margot James MP has now clarified that the Government believes that primary care service providers should in fact have a “single point of contact for data protection matters”, as they “process sizeable quantities of sensitive health data”.

In the guidance provided to members, the advice was that smaller community pharmacy businesses “may also need to appoint a DPO”. We must now change this to advise that all contractors appoint a DPO as part of their journey towards GDPR compliance. We are disappointed by this outcome, and recognise that there is very little time to go before the GDPR go-live date of the 25th of May. However, please do remember that the Information Commissioner herself has written in her blog that:

“GDPR compliance will be an ongoing journey”; and “… if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world”

In essence, the regulator is not expecting full compliance from all data controllers and processors from the 25th, not least because the associated UK legislation is not yet in place. Whilst there is no need to panic, you should start considering what action to take with regards to appointing a DPO now. We will update our guidance and workbook to reflect this change in advice this week.

Appointing a Data Protection Officer

A Data Protection Officer can be an internal employee or an external person with whom you contract. The ICO has provided guidance about the role, skills and responsibility which should be held by a DPO, which is briefly summarised below:

  • A DPO helps you to monitor internal compliance, advise on your data protection obligations and act as a contact point for data subjects and the ICO
  • A DPO must be able to function independently, be an expert in data protection, be adequately resourced and report to the highest management level.
  • In some cases, several organisations may work together to appoint a single DPO between them.