A Real-World GDPR Example: How Responsibility Flows Through the Pharmacy Data Supply Chain

A recent report  in The Irish Times clearly illustrates how GDPR responsibility is divided between three parties: the software provider, the organisation using the software, and the individuals whose data is being processed. 

In the reported case, concerns were raised about the use of post-primary student data, and legal proceedings were taken in relation to alleged data protection breaches — including the processing of student information without express parental permission.

The issue was not whether the software itself was GDPR-compliant. Instead, the focus was on how the system was being used and who was responsible for ensuring a lawful basis for processing the data.

Under GDPR, the software supplier operates as the data processor, while the school — as the organisation deciding why and how student data is used — acts as the data controller. The students, whose personal data is involved, are the data subjects whose rights must be protected.

This data supply chain maps directly to the pharmacy setting. In a pharmacy context:

• the software supplier (booking, prescription ordering, messaging platform, analytics, payment etc) is the data processor
• the pharmacy is the data controller
• and the patient is the data subject

The pharmacy remains responsible for ensuring that patient data is collected lawfully, processed appropriately, and supported by valid consent or another lawful basis. GDPR accountability cannot be outsourced — it flows through the data supply chain and ultimately rests with data controller – the pharmacy.

The Key Lesson: Your Pharmacy is the Data Controller

One of the most important points in the Irish Times reporting was the distinction between the parties:

• The supplier of the software is described as the data processor
• Schools remained the data controllers, responsible for deciding the lawful basis for processing data

This matters because most pharmacies are set up the same way with technology vendors.

In pharmacy terms:

• Software suppliers of your booking engine, consultation software or prescription ordering = Data Processor
• Pharmacy = Data Controller

That means the pharmacy is the organisation responsible for compliance — even if the system is hosted, managed and marketed by the supplier.

Why This is Higher Risk for Pharmacies than Schools

Pharmacies process special category personal data — health data — which carries higher protections under GDPR.

Your online supplier may be handling:

• prescription details and medication information
• date of birth and contact numbers
• vaccination appointment details
• consultation answers (symptoms, conditions)
• GP / referral information
• messaging between patient and pharmacy

If any of this is collected, stored, or shared in a way that isn’t compliant, the pharmacy’s exposure is serious — because the controller is accountable.

Action List: Managing GDPR Risk in the Pharmacy Data Supply Chain

As the data controller, the pharmacy is responsible for how patient data is collected, used and protected across every system it touches. The following actions help reduce risk and demonstrate accountability under GDPR.

1. Review all software suppliers’ GDPR compliance
   Confirm that software providers can supply a Data Processing Agreement (DPA), clearly identify sub-processors, and explain where and how patient data is stored.

2. Map the pharmacy’s data supply chain
   Document how patient data flows from the patient to the pharmacy, through digital systems, hosting providers and backups — and back again.

3. Verify consent and lawful basis for processing
   Ensure consent wording is clear, appropriate for health data, and supported by auditable records, particularly where minors are involved.

4. Assess security controls
   Confirm encryption, access controls, audit logs, and breach-response procedures are in place and documented.

5. Confirm patient rights can be fulfilled
   Make sure systems allow access, correction, deletion and data export requests to be handled within GDPR timelines.

6. Review data retention and deletion policies
   Ensure patient data is not kept longer than necessary and can be securely deleted when required.

7. Train pharmacy staff
   Staff should understand how to use systems correctly and recognise their role in protecting patient data.

8. Reassess suppliers regularly
   GDPR compliance is not a once-off exercise — suppliers, features and regulations change over time.

Simple rule of thumb:

If a supplier cannot clearly explain their role in your data supply chain, they are a risk — not just a vendor.

Common Red Flags in the Pharmacy Data Supply Chain

If your system:

• blocks you from exporting or deleting patient records properly
• cannot provide a formal Data Processing Agreement (DPA)
• can’t list its sub-processors
• doesn’t support access logs / audit trails
• can’t show consent evidence
• offers “free” services but monetises data
• does not provide secure 2 factor login where a text message or similar is used 

…then you are not just buying software — you are inheriting risk.

About Refill Assistant Implementation of GDPR

Refill Assistant is built specifically for pharmacies, with GDPR compliance and patient data security designed in from day one. 

The platform uses strong encryption to protect data in transit and at rest, mandatory 2-factor authentication to prevent unauthorised access, and automatic session timeouts to reduce walk-away and shared-workstation risk in busy pharmacy environments. These controls align with recognised healthcare security standards and ensure pharmacies can demonstrate appropriate technical measures under GDPR—protecting patients, staff and pharmacy owners alike.

Refill Assistant signs a GDPR processor agreement with the pharmacy. All sub-processors are clearly listed.