Reading List

A curated Reading List to support and extend learning from Data Protection Leadership for Pharmacy Owners, Managers and IG Leads.

ICO resources below apply UK-wide. Community Pharmacy England (CPE) links are specific to community pharmacy in England; if you work elsewhere, read them alongside your local or national requirements.

1. Core Accountability and Governance

• ICO - Guide to accountability and governance
  Overview of documentation, policies, data protection by design, DPIAs, contracts, and DPO expectations under UK GDPR.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/

• ICO - Records of processing and lawful basis
  Audit-framework material on ROPA quality, evidence of accountability, and keeping records current and reviewable.
  https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/records-of-processing-and-lawful-basis/

• ICO - Policies and procedures
  Practical guidance on building a policy framework that leaders endorse and staff can use in day-to-day practice.
  https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/policies-and-procedures/

• ICO - Leadership and oversight
  Guidance on oversight groups, reporting to senior management, DPO involvement, and maintaining evidence that policies, training, and audits are governed.
  https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/leadership-and-oversight/

2. Roles, Controllers, Processors, and DPOs

• ICO - How do you determine whether you are a controller or processor?
  Explains the practical distinction between controller and processor roles and why responsibility can sit on a spectrum.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/how-do-you-determine-whether-you-are-a-controller-or-processor/

• ICO - Data protection officers
  Explains DPO duties, independence, required expertise, resourcing, and reporting lines to senior management.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/

• Community Pharmacy England - Data security roles
  England community pharmacy guidance on assigning data-security roles, including IG lead or SIRO-style responsibility, DPO arrangements, and confidentiality oversight.
  https://cpe.org.uk/digital-and-technology/data-security/data-security-roles/

3. DPIAs, Training, and AI

• ICO - What is a DPIA?
  Explains why DPIAs are an accountability tool and when they are legally required for high-risk processing.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/what-is-a-dpia/

• ICO - Specialised training
  Guidance on identifying roles that need additional data-protection or information-governance training.
  https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/training-and-awareness/specialised-training/

• ICO - Artificial intelligence
  ICO gateway page for AI and data-protection guidance, including detailed AI guidance and a risk toolkit.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/

• Community Pharmacy England - Data security training
  CPE guidance that all staff handling confidential information need regular training. IG leads should complete more detailed learning and review training needs annually.
  https://cpe.org.uk/digital-and-technology/data-security/data-security-training/

4. Security, Access, and Resilience

• ICO - Security outcomes
  An outcomes-based guide to technical and organisational security measures, including access control, resilience, restore capability, monitoring, and supply-chain assurance.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/security-outcomes/

• ICO - Access
  Records-management guidance on physical records security, locked storage, access logs, and periodic audit of storage areas.
  https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/records-management/access/

• ICO - Ransomware and data protection compliance
  Leadership guidance on availability incidents, backup segregation, restore readiness, and wider cyber resilience when personal data is unavailable or compromised.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ransomware-and-data-protection-compliance/

5. Breaches, SARs, Sharing, and Contracts

• ICO - 72 hours: how to respond to a personal data breach
  Step-by-step guidance for the first 72 hours after becoming aware of a breach.
  https://ico.org.uk/for-organisations/advice-for-small-organisations/personal-data-breaches/72-hours-how-to-respond-to-a-personal-data-breach/

• ICO - A guide to subject access
  Guidance on recognising SARs, time limits, ID checks, reasonable searches, extensions, and secure disclosure.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/

• ICO - What needs to be included in the contract?
  Explains the Article 28 terms required in controller-processor contracts, including instructions, confidentiality, security, sub-processors, breach support, deletion, and audit rights.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/

• Community Pharmacy England - Data Security and Protection Toolkit 2026 guidance
  CPE guidance for completing the DSPTK, useful for leaders overseeing annual IG declaration and assurance work.
  https://cpe.org.uk/our-news/data-security-protection-toolkit-2026-community-pharmacy-england-guidance-available/

6. Pharmacy Regulatory Context

• GPhC - Standards for registered pharmacies
  Great Britain standards on governance, providing safe and effective services, and maintaining privacy, dignity, and confidentiality.
  https://inspections.pharmacyregulation.org/standards

Use this Reading List to deepen knowledge of accountability, contracts, DPO and specialist-role expectations, higher-risk change control, audits, security assurance, breach response, and rights handling across pharmacy organisations.