From 25 May 2018 the General Data Protection Regulation (GDPR) and Data Protection act 2018 have required organisations who process personal data to comply with the obligations set out within the legislation.

At McKesson UK we are proud to provide high quality integrated healthcare services to our customers. Data Protection legislation is not new to us, and we have been complying with it since 1998. The GDPR raises the benchmark for data protection compliance, and we have welcomed and achieved these stringent new standards.

In accordance with legislation, we have a dedicated Data Protection Officer (DPO) for the UK group of businesses. The DPO is supported by a large of team of Data Protection Champions and Information Governance advisers across the Group. We have full support from the UK Board of Directors and our extended senior management across the international business.

We have implemented both technical and organisational measures to comply with these requirements of the new legislation. Reviews were undertaken of all our systems and applications and remedial action taken where necessary to keep personal data secure.

We are confident that we can demonstrate our accountability and compliance. Our Data Protection policies and procedures have been reviewed and updated to reflect the changes required under GDPR. We have reviewed and amended our third-party contracts and shared a GDPR variation to ensure that heritage contracts are compliant. Our new contract management process ensures that all new agreements going forward are compliant. We have reviewed our data subject consents, and in conjunction with industry regulators such as those for pharmacy and clinical homecare services, are consistent with sector guidelines.

Article 30 of the GDPR requires specific records to be kept of data processor activities. We have data inventories across all of our business areas to map what personal data we hold on behalf of data subjects, where it comes from, who we share it with and what we do with it. This provides us with the foundation of our GDPR compliance.

We have always promoted a positive culture of data protection and compliance. This has been improved through awareness and GDPR training for all staff.

The GDPR requires us to notify any security incident or breach and we have a process in place to achieve this.

The GDPR improves data subjects’ rights. We have a process in place to respond to all data subject requests for access to their information.

We are not complacent. We have a process to refine and improve our compliance with data protection legislation. We have introduced a monthly process to monitor and report on our compliance. We will ensure that we continue to securely process personal data.

If you have any questions about GDPR, please contact our Data Protection Officer