Compliance Guide

Pharmacy GDPR Compliance Guide

A practical guide to UK GDPR compliance for pharmacies and clinics handling patient data — and exactly how RxSure helps you meet every requirement.

28GDPR Requirements Mapped
21Handled by RxSure
7You Provide

Last updated: June 2026 · Based on UK GDPR & Data Protection Act 2018

Important: This page is an informational guide prepared by RxSure (QASTCO Limited). It does not constitute legal advice. Compliance decisions should be made with input from your Data Protection Officer and/or legal adviser. Requirements may change — this guide reflects UK GDPR and the Data Protection Act 2018 as of June 2026. We recommend verifying all requirements directly with the ICO.

Why GDPR Matters for Pharmacies

Pharmacies handle some of the most sensitive personal data there is — patient health records, prescription histories, consultation notes, and identity documents. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set strict rules for how this data must be collected, stored, processed, and shared. Non-compliance can result in ICO enforcement action, fines of up to £17.5 million, and loss of patient trust.

If you operate an online pharmacy or private clinic, GDPR compliance is not optional — it is a condition of your GPhC registration, CQC compliance, and NHS DSPT accreditation.

Three Layers of GDPR Compliance

GDPR compliance for pharmacies requires three things working together. RxSure provides two of them.

Clinical Platform

RxSure provides this

  • AES-256 encryption at rest
  • TLS encryption in transit
  • Role-based access control
  • Immutable audit trails
  • Consent recording & management
  • Patient self-service data access
  • Automated data retention policies

Your Website

RxSure builds this for you

  • Privacy Policy page
  • Cookie Policy & consent banner
  • Terms of Service
  • Data controller identification
  • SSL/HTTPS across all pages
  • ICO registration number displayed

Your Governance

Only you can provide this

  • ICO registration
  • Data Protection Officer (if required)
  • Staff GDPR training
  • Data processing agreements
  • Breach notification procedures
  • Records of processing activities
  • Subject access request procedures
14
Platform Features
4
Website Compliance
3
Website + Platform
7
You Provide

Every GDPR Requirement, Mapped

Click any category to see the GDPR requirement and which RxSure feature addresses it.

Lawfulness, fairness and transparency

Patients must be told clearly what data you collect, why, and how it will be used. Consent must be explicit for health data processing.

Website + PlatformPrivacy Policy + Consent Module
RxSure websites include a full Privacy Policy covering data controller, lawful basis, sharing, and patient rights. The platform records explicit GDPR consent at patient registration.
Purpose limitation

Patient data must only be used for the specific purposes stated at the time of collection. You cannot repurpose clinical data for marketing without separate consent.

Granular consent categories — clinical, communications, and marketing are tracked separately. Data access is restricted by purpose through role-based controls.
Data minimisation

Only collect the minimum personal data necessary for the clinical service. Consultation forms should not ask for irrelevant information.

Each clinical service has its own tailored questionnaire — collecting only the data required for that specific consultation pathway.
Accuracy

Patient data must be kept accurate and up to date. Patients must be able to correct inaccurate personal data.

Patients can view and update their personal information through their secure portal. Clinical records are maintained by practitioners with full audit trails.
Storage limitation

Patient data must not be kept longer than necessary. Pharmacy records typically require 8-year retention for clinical records (NHS guidance).

Configurable retention periods per data type. Automated alerts when data reaches its retention limit. Secure deletion with audit trail confirmation.
Integrity and confidentiality

Patient data must be protected against unauthorised access, loss, or destruction using appropriate technical and organisational measures.

AES-256 encryption at rest, TLS in transit, role-based access control, immutable audit trails, and regular penetration testing. Cyber Essentials certified.
Article 6 lawful basis established

Every data processing activity must have a valid lawful basis — typically “legitimate interests” (Article 6(1)(f)) or “contract” (Article 6(1)(b)) for pharmacy operations, and “explicit consent” for marketing.

Website + PlatformPrivacy Policy + Consent Recording
Your Privacy Policy (built by RxSure) states the lawful basis for each processing activity. The platform records the specific lawful basis relied upon for each patient interaction.
Article 9 special category condition

Health data is “special category” data requiring an additional condition under Article 9. For pharmacies, this is typically Article 9(2)(h) — “provision of health care” by a health professional with a duty of confidentiality.

PlatformClinical Access Controls
Only registered clinical practitioners can access patient health data. The platform enforces professional boundaries through role-based access — administrative staff cannot view clinical consultation details.
Explicit consent for non-clinical processing

Marketing emails, SMS campaigns, and analytics require separate explicit consent. Consent must be freely given, specific, informed, and unambiguous.

Website + PlatformCookie Consent + Marketing Preferences
Website cookie consent banner with accept/reject. Patient portal marketing preferences are separate from clinical consent. Patients can withdraw marketing consent at any time.
Right of access (Subject Access Request)

Patients can request a copy of all personal data you hold about them. You must respond within one calendar month.

Patients can view their records in real time through the portal. Practitioners can generate a complete data export for formal SAR responses with one click.
Right to rectification

Patients can request correction of inaccurate personal data. Clinical records must be amended with a note explaining the change.

Patients update their own profile data. Clinical record amendments are logged with the original entry preserved in the audit trail.
Right to erasure (“right to be forgotten”)

Patients can request deletion of their data in certain circumstances. However, clinical records may be exempt where retention is required by law or for public health purposes.

The platform supports account deletion with configurable retention overrides for legally required clinical records. Non-clinical data (marketing preferences, analytics) is deleted immediately.
Right to data portability

Patients can request their data in a structured, machine-readable format to transfer to another provider.

Patient data can be exported in structured formats (JSON, CSV) for portability requests. Covers consultation records, prescriptions, and personal information.
Right to withdraw consent

Where processing is based on consent, patients must be able to withdraw it as easily as they gave it.

Patients manage all consent preferences from their portal dashboard. Withdrawal is one click — no forms, no phone calls, no barriers.
Encryption of personal data

All patient data must be encrypted both at rest (stored) and in transit (transmitted). This is the single most important technical safeguard.

AES-256 encryption at rest for all stored data. TLS 1.3 encryption in transit. Prescription tokens use additional one-time encryption.
Access control and authentication

Only authorised individuals should access patient data. Staff must use strong authentication and access must be limited to what each role requires.

PlatformRBAC Module
Five distinct user roles with granular permissions. Two-factor authentication available. Session timeouts enforce automatic logout. All access events logged.
Audit trails and logging

All access to and changes of patient data must be logged with who, what, when, and where. Logs must be tamper-proof.

Immutable audit logs for every data access, modification, and clinical decision. Cannot be altered or deleted — even by administrators.
Secure payment processing

Card payment data must be handled in compliance with PCI-DSS standards. Patient financial data must never be stored on your systems.

Stripe handles all payment processing (PCI-DSS Level 1). No card data touches or is stored on RxSure servers. See pricing.
Regular security testing

Systems processing patient data should undergo regular vulnerability assessments and penetration testing.

Cyber Essentials certified. Regular penetration testing and vulnerability scanning. Incident response procedures documented and tested.
Privacy policy published and accessible

A comprehensive privacy policy must be easily accessible from every page. It must cover: data controller identity, lawful basis, data sharing, retention periods, patient rights, and ICO contact.

WebsitePrivacy Policy Page
Full Privacy Policy page linked from the footer on every page. Covers all UK GDPR Article 13 requirements including data controller, legal basis, sharing, retention, and patient rights.
Cookie consent mechanism

Websites must obtain consent before placing non-essential cookies. Users must be able to accept or reject cookies with equal ease (PECR compliance).

WebsiteCookie Consent Banner
Cookie consent banner on first visit with accept/reject. Cookie Policy page categorises all cookies as essential, analytics, or marketing.
Data controller clearly identified

Your privacy policy must clearly identify who the data controller is (your pharmacy/company), with registered address and contact details.

WebsitePrivacy Policy + Footer
Data controller details included in your Privacy Policy and displayed in the website footer.
Terms of service for online transactions

Online pharmacy services require published terms covering the service agreement, payment terms, refund policy, and dispute resolution.

WebsiteTerms of Service Page
Full Terms of Service page covering NHS integration terms, platform terms, and patient service agreement.
ICO registration

Every organisation that processes personal data must register with the Information Commissioner’s Office. The annual fee is £40–£2,900 depending on turnover and staff count.

You ProvideLegal requirement
Register online at ico.org.uk. Your ICO registration number is then displayed on your RxSure website.
Data Protection Impact Assessment (DPIA)

A DPIA is mandatory when processing health data at scale. It must assess risks to patients and document safeguards.

You ProvideRxSure provides its own DPIA
RxSure has completed its own DPIA covering the platform. Your pharmacy should complete a separate DPIA covering your specific data processing activities. We can share our DPIA as a reference.
Staff GDPR training

All staff who handle patient data must receive GDPR training. Training must cover data protection principles, patient rights, and breach reporting.

You ProvideTraining records
RxSure provides platform-specific training for your team. You are responsible for broader GDPR awareness training and maintaining training records.
Data processing agreements with third parties

Written contracts must be in place with every third party that processes patient data on your behalf (Article 28).

You ProvideContractual requirement
RxSure provides a Data Processing Agreement as part of your service contract. You are responsible for DPAs with other third parties (e.g., delivery couriers, labs).
Data breach notification procedures

You must notify the ICO within 72 hours of becoming aware of a data breach that poses a risk to individuals. Affected patients must also be notified without undue delay if the risk is high.

You ProvideBreach response plan
RxSure monitors for platform-level breaches and will notify you immediately. You are responsible for your own breach response plan and ICO notification procedures.

Platform Certifications

When you operate on RxSure, your pharmacy benefits from these certifications from day one.

UK GDPR / DPIA
Compliant with UK GDPR. Data Protection Impact Assessment completed.
DSPT
NHS Data Security & Protection Toolkit — Standards Met
Cyber Essentials
Government-backed cyber security certification
DCB0129
Clinical Risk Management for Health IT Systems
PCI-DSS
Level 1 payment compliance via Stripe

Your GDPR Checklist

RxSure provides the platform and website. These items must come from you as the pharmacy owner.

Legal requirement

ICO Registration

Register with the Information Commissioner’s Office before processing personal data. Annual fee £40–£2,900.

Legal requirement

Data Protection Impact Assessment

Document risks and safeguards for your specific data processing activities. RxSure provides its own DPIA as reference.

Legal requirement

Breach Notification Plan

Written procedure for notifying the ICO within 72 hours and affected patients without undue delay.

Data Processing Agreements

Written contracts with every third party processing patient data. RxSure provides its DPA as part of your contract.

Staff GDPR Training

All staff handling patient data must receive GDPR training. Maintain training records as evidence.

Records of Processing Activities

Document what data you process, why, who has access, and how long it is retained.

Subject Access Request Process

Internal procedure for responding to patient data requests within one calendar month.

Common Questions

Not always. Under UK GDPR, a DPO is required if you are a public authority, carry out large-scale systematic monitoring, or process special category data (health data) on a large scale. Most independent pharmacies fall below the “large scale” threshold, but pharmacy groups and multi-site operations should seek advice. Even if not legally required, appointing someone to oversee data protection is good practice.
NHS guidance recommends retaining clinical records for 8 years for adults (or until the patient turns 25, whichever is longer, for children). Prescription records must be kept for 2 years. Private prescribing records should follow the same retention periods as best practice. RxSure’s Data Retention Engine lets you configure these periods per data type.
The right to erasure is not absolute. Clinical records may be exempt from deletion where retention is required by law (e.g., the Medicines Act 1968) or necessary for public health. However, non-clinical data (marketing preferences, analytics, account data) must be deleted on request. RxSure supports selective deletion — removing personal data while preserving legally required clinical records.
Yes. All patient data processed through RxSure is stored on UK-based infrastructure. There is no international transfer of patient data. This meets the UK GDPR requirement for data to remain within adequate jurisdictions.
The Data Security and Protection Toolkit (DSPT) is an NHS self-assessment tool that demonstrates your organisation meets data security standards. It is mandatory for organisations that access NHS patient data or NHS systems. If your pharmacy delivers NHS services (such as Pharmacy First), DSPT compliance is expected. RxSure holds DSPT “Standards Met” status — your pharmacy operating on our platform benefits from this.
RxSure has documented incident response procedures. If a platform-level breach is detected, we notify affected pharmacy clients immediately — well within the 72-hour ICO reporting window. Audit trails provide forensic evidence of what data was accessed. You are then responsible for your own ICO notification and patient communication as the data controller.

Need Help with Pharmacy GDPR Compliance?

Book a free strategy call. We’ll walk through your data protection requirements and show you how RxSure keeps you compliant from day one.

Book a Free Strategy Call
Disclaimer: This page is published by RxSure, a trading name of QASTCO Limited (Company No. registered in England & Wales). The information provided is for general informational purposes only and does not constitute legal or regulatory advice. While we make every effort to ensure accuracy, we make no warranties about the completeness or reliability of this content. GDPR compliance is your responsibility as data controller — always verify requirements with the ICO and seek independent legal advice. RxSure is a technology platform provider and does not provide legal, regulatory, or compliance advisory services.

From Our Blog

Related Reading