What you need to know and how it affects your business

What is GDPR?

General Data Protection Regulations (GDPR) is an overhaul of European data protection laws due to come into action on the 25th of May and it introduces changes around the obligations on organisations who hold, control or process Personal Data and changes around the rights of people about whom Personal Data is being held, controlled or processed by organisations.

What’s changing?

Accountability is a key focus of GDPR. This means that organisations will need to explicitly demonstrate adherence to the rules once GDPR comes into effect. It can no longer be assumed that the regulations are being followed. Organisations will need to prove their compliance. Full documentation must be kept and made available that states the reasoning behind keeping of data of any EU resident.

Organisations will no longer be able to repurpose information about someone in order to use it for direct marketing, either. Not without specific consent being given by the individual, at least.

It will be easier for people to withdraw consent with regards to organisations handling and using their private information. It will also become harder for those organisations to obtain and retain data without a specific and expressed reason. Any use of data without approval or consent will be a breach of the regulations.

Additionally there are changes around how quickly organisations must respond to someone’s request for access to data held about them. Organisations will need clear and easy to implement internal policies for responding to these access requests.

Data Controllers and Data Processors

The exact requirements for following the new regulations will depend on whether you qualify as a ‘Data Controller‘ or a ‘Data Processor‘. Some organisations may even fall under both.

GDPR guidelines define these different roles like this:

  • ‘The data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’
  • ‘The data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’

The Data Controller is the organisation that retains and uses the information, effectively ‘owning’ the data and dictating how it’s used. Whereas the Data Processor is generally the third party that uses the data for tasks on behalf of the Data Controller. This means that TouchStore qualify as Data Processors and those of you that own and run pharmacies are the Data Controllers. As Data Processors we are obliged to follow security protocols. However the responsibility to ensure that GDPR regulations are being fully complied with in a pharmacy, lies with pharmacies.

What does it mean for your business?

Since pharmacies already deal with sensitive medical information about patients they will likely already operate fairly robust security when it comes to data. Despite this, pharmacies need to take GDPR seriously. Fines for data breaches and non-compliance can be extremely high, meaning the incoming regulations should not be ignored or dismissed as unimportant.

The types of data that pharmacies retain isn’t generic information like email addresses or shopping preferences that other industries are concerned with. Pharmacies regularly deal with in-depth patient data, some of it relating to very personal information. Security of this information is vital.

What your business should do to prepare

By now pharmacies should already have begun implementing changes to ensure that GDPR compliance will not be a problem come May 25th. If you haven’t, the issue needs to be addressed immediately. If your business is large and complex enough, dealing with large amounts of personal data, you may need to appoint a dedicated Data Protection Officer or hire an external consultant to ensure your business remains compliant.

Since pharmacies qualify as Data Controllers, they must have clear and concise information about what their legal basis is for any processing of personal data. That includes the collecting, recording, retrieving, usage and retention of personal data. They also have a legal obligation to report any data breaches to the Office of the Data Protection Commissioner.

What TouchStore have done to prepare for GDPR

The dispensing and retail software that we provide processes information relating to thousands of patients every single day. This means that we have a huge responsibility to manage that information in a safe and secure manner. We take this responsibility seriously and we continually review our policies and processes to help make TouchStore as GDPR compliant as possible.

GDPR represents significant steps forward in relation to the protection of individuals rights but at TouchStore we have always been aware of and sensitive to the need for secure and robust management of personal data. As such, we have always adhered to the Data Protection Act 1988 and its amendments 2003 we will strive to adhere to GDPR into the future.

We’ve worked hard to ensure that we are fully and completely compliant with the new rules by May 25th. If you’re not sure how compliant your business will be with the incoming regulations, we would highly recommend you seek external advice to ensure you’re as compliant as possible.

Where can you learn more?

The Office of the Data Protection Commissioner is a key resource for learning more about Data Protection and GDPR. They have issued various guidance in relation to GDPR and set up the website GDPR & You (http://www.gdprandyou.ie/) which helps businesses and individuals learn more about the upcoming changes.

Those of you who are members of the Irish Pharmacy Union (http://www.ipu.ie/) may also take advantage of the formal guidance issued by the IPU in preparation for the implementation of GDPR.