Do I need a DPO? #GDPR

There are two reasons why you might be required to have a DPO. The first is because NHS pharmacies are subject to the Freedom of Information Act and any organisation that is subject to this act is automatically deemed to be a public authority by the proposed data protection legislation accompanying the introduction of the GDPR (However this is not finalised at this stage). The second is because you may be considered to be a data controller ‘processing on a large scale .. special categories of data pursuant to Article 9 (which includes data concerning health).

Recital 91 in the GDPR, albeit talking about data protection impact assessments (DPIAs) states:

 ….The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.

Although, it is clear that ‘processing of patient data in the regular course of business by a hospital is considered to be large-scale (Guidelines on Data Protection Officers (‘DPOs’), Adopted on 13 December 2016, last Revised and Adopted on 5 April 2017).

It would be sensible to assume that a business with multiple pharmacies would need to appoint a DPO. As we learn more about whether smaller businesses should appoint a DPO, we will communicate this with our members via the CPS website and update this pack.

View our GDPR page for more information