GDPR Flashcards
When is GDPR applicable from?
25 May 2018
The EU has outlined that:
A fine of up to €__ million, or _%, of the organisation’s global turnover (whichever is higher), for infringements including the failure to notify the Information Commissioner’s Office (ICO) of a data breach, and the failure to follow data controller or processor obligations.
A fine of up to €10 million, or 2%, of the organisation’s global turnover (whichever is higher), for infringements including the failure to notify the Information Commissioner’s Office (ICO) of a data breach, and the failure to follow data controller or processor obligations.
Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than __ hours after having become aware of it”. Where a notification is not made within __ hours, reasons for the delay will need to be provided.
Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Where a notification is not made within 72 hours, reasons for the delay will need to be provided.
What is a Data Protection Officer?
The GDPR will require some organisations to designate a DPO, for example, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to ensure that a named individual in pharmacy business, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.
Under GDPR, there is greater control for data subjects, data subjects include who?
Data subjects which include any living person whom the pharmacy holds / processes personal data on have the “right to erasure” also known as the “right to be forgotten”. This gives patients the right to direct the Data Controller – the pharmacy – to erase any of their personal data in certain situations.
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
How long do pharmacies have to respond to a request for erasure?
The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
Individuals can make a request for erasure verbally or in writing.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
The EU/GDPR stipulates that:
A fine of up to €__m, or _% of the organisation’s global turnover (whichever is higher), for infringements including non-compliance of orders from the ICO, failure to follow the basic principles for processing (including consent), and infringement of an individual’s rights.
A fine of up to €20m, or 4% of the organisation’s global turnover (whichever is higher), for infringements including non-compliance of orders from the ICO, failure to follow the basic principles for processing (including consent), and infringement of an individual’s rights.
There will be a duty for all organisations to report certain data breaches to the ICO, and in some cases, report the data breaches to the affected individual(s). Examples of data breaches which must be reported include what? (5)
Damage to reputation Discrimination Financial loss Loss of confidentiality Other economic/social disadvantages.
Under GDPR, Do I need to obtain consent from each patient who presents a prescription?
No. Under GDPR, consent does not need to be obtained from each patient presenting a prescription for dispensing, because consent is not the lawful basis for processing.
A patient provides implied consent to enable the pharmacy to process their personal data for the purpose of dispensing a prescription. Therefore the pharmacy’s lawful basis for processing the personal data present on the prescription is that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
If a GP surgery asks for a prescription to be delivered urgently to a patient, what is the lawful basis for a pharmacy to fulfil this request?
The lawful basis for processing the patient’s personal data for the purpose of urgent delivery, in this case, is that “processing is necessary in order to protect the vital interests of the data subject or of another natural person”. It is advisable that the pharmacy clearly documents the lawful basis of this processing on the patient’s medication record (PMR).
Who can be the Data Protection Officer?
Can it be the information governance lead?
The ICO has stated that an organisation’s DPO can be an existing employee of an organisation, or the role can be contracted out externally to another organisation. This individual’s professional duties should be compatible with their DPO duties, and there must be no conflicts of interests.
A pharmacy’s information governance (IG) lead can potentially act as the DPO, as long as the above criteria are fulfilled. This concept is similar to how the IG lead can currently be the pharmacy superintendent pharmacist, while acting independently.
Can patients request to access their data free of charge?
YEs