As in previous years, the IPU continues to support members with up-to-date guidance and practical tools to assist with day-to-day compliance of GDPR. This May, we are encouraging all pharmacies to take the opportunity to review their documentation, refresh staff awareness, and ensure that their data protection measures and records are complete and fully up to date.

To support this, we have updated and reorganised the Data Protection section on the IPU website. This now includes a revamped Quick Guide to Data Protection, an easy-to-follow compliance checklist, updated templates, and an expanded FAQ section based on real-life queries from IPU members. These resources are designed to make compliance more manageable for busy pharmacy teams.

“Time invested now can ensure your pharmacy is protected, your team is confident, and your patients continue to receive the standard of confidentiality and professionalism they rightly expect.”

A practical walkthrough – where to begin

We recommend approaching your data protection review as a short project. Designate a lead person (for example, the Supervising Pharmacist), and then work through the following steps over the course of a week or two.

Step 1: Update and display your Privacy Notice

The pharmacy’s Privacy Notice (also called a Data Protection Statement), should:

• Be clearly visible in-store, ideally at the counter or near the waiting area;
• Be published on your pharmacy website if you have one; and
• Be available in printed form for patients who request it.

A template is available on the IPU website and can be tailored to your pharmacy.

Step 2: Refresh staff training

Staff training should be regular, documented, and relevant. At a minimum:

• Team members should review the IPU Data Protection Guide and your pharmacy’s own Data Protection Statement;
• Training attendance should be recorded; and
• New staff should receive training as part of their induction.

Step 3: Review your written policies and procedures

Ensure that you have written policies for:

• Managing personal data breaches;
• Responding to access requests (Subject Access Requests);
• Secure retention and disposal of records; and
• Use of CCTV and responding to footage access requests.

If you already have these policies in place, check that they are up to date. If not, template versions are available to download.

Step 4: Complete your Record of Processing Activities (RoPA)

Pharmacies must maintain a written record of:

• What personal data is held (for example, prescriptions, vaccination records, staff records);
• Why the data is processed;
• Who it is shared with; and
• How long it is retained.

A RoPA template is included in the IPU Guide and available on our website.

Step 5: Review your Data Breach Log

Even minor incidents must be logged. Your Data Breach Log should include:

• What occurred;
• What action was taken;
• Whether the incident was reported to the Data Protection Commission (DPC) and/or the patient; and
• Steps taken to reduce the risk of recurrence.

Having a clear, structured log helps demonstrate your compliance in the event of an audit or inspection.

Step 6: Check storage and access controls

All personal data — whether digital or physical — should be:

• Securely stored, with locked drawers or password-protected systems;
• Access restricted to authorised staff only; and
• Subject to automatic screen locks or session timeouts where systems allow.

Step 7: Schedule an Annual Review

We recommend that pharmacies complete a full data protection review:

• At least once a year (May is a good time);
• Whenever new systems are introduced or services change; and/or
• If there is a significant staff turnover or a data breach incident.

This should include reviewing your policies, training records, RoPA, and breach log.

Ready to start?

Time invested now can ensure your pharmacy is protected, your team is confident, and your patients continue to receive the standard of confidentiality and professionalism they rightly expect.

If you have any queries or need support, do not hesitate to contact the IPU at 01 493 6401.

You can access the checklists, templates, and supporting guidance at ipu.ie/gdpr.