Responding to data breaches
Responding to data breaches
In order to comply with GDPR, pharmacies must take prompt action when a data breach occurs. You should have a policy or procedure in place in the pharmacy to cover any data breaches - make sure you are familiar with this policy.
Any data breaches which are likely to affect an individuals rights and freedoms must be reported to the relevant supervisory authority (this will be the ICO) without delay and within 72 hours of becoming aware. In some cases any individuals affected by the data breach should also be notified by the DPO or the business. An example of a breach which is likely to affect peoples rights and freedoms would be the loss of a prescription bundle in a public place.
The ICO website ICO penalties confirms that as of 2023 a failure to report a data breach can result in a fine of up to £17.5 million or 4 per cent of annual turnover for the organisation.
You must record all data breaches in the pharmacy even if they are not reported to the ICO. You should also be able to show how you have learnt from the data breach.
ACTION: If you become aware of a data breach you should notify your manager/DPO immediately.
