Important: The Information Commissioners Office and Community Pharmacy England New Requirements Direction for filling out the 2026 Data Security and Protection Toolkit.

On April 2nd 2026 Community Pharmacy England updated their Five-step checklist for completing the mandatory June 2026 Data Security and Protection Toolkit. The ICO also have updated their direction for all Public Authorities to appoint and register an official DPO.

All UK Pharmacies and Dental Practices MUST appoint a DPO BEFORE June 30th 2026 BEFORE filling out the NHS DSTP Toolkit


Community Pharmacy England now directs all UK pharmacies to appoint a Data Protection Officer BEFORE filling out the June 2026 Data Security and Protection Toolkit.

This CPE direction is a fundamental change from previous years. Appointing a DPO is now mandatory!

If a pharmacy does not appoint an official DPO before June 30th 2026 the pharmacy will not be GDPR compliant and cannot fill in the mandatory Data Security and Protection Toolkit. They will then be in breach of NHS contract.

Here is the new Community Pharmacy England direction:

https://cpe.org.uk/digital-and-technology/data-security/data-security-roles/

The ICO Now Require ALL Public Authorities to Appoint and Register a DPO

https://ico.org.uk/for-organisations/data-protection-fee/does-my-organisation-need-a-data-protection-officer-dpo/?p=start

https://cpe.org.uk/wp-content/uploads/2026/01/Briefing-DSPTK-A-Five-steps-for-completing-DSPTK-Data-Security-and-Protection-Toolkit-.pdf

Independent appointed DPO versus and Internally appointed DPO

If a Pharmacy or Dental Practice appoints an internal DPO they MUST meet this strict criteria:

They must have expert knowledge of UK GDPR data protection laws and practices.

There cannot be any conflict of interests. The internal DPO CANNOT be:

  • A director of the Pharmacy or Dental Practice.
  • The Pharmacy or Dental Practice owner.
  • The Superintendent Pharmacist or the Dental Practice Manager.
  • The Responsible Pharmacist.

Choosing to appoint an independent DPO meets ALL of the strict NHS and ICO requirements. A pharmacy or dental practice can then complete the NHS Security and Protection Toolkit legally!

We offer to you our independent DPO service that will fulfill all of your GDPR compliance requirements and allow you to fill in the June 2026 Security and Protection Toolkit correctly and avoid all of the pitfalls that appointing an unqualified internal DPO can bring.

Our proven independent DPO service is DPOA award winning and is very cost-effective!

Call us now for a no obligation discussion and quote.
We offer consultancy, outsourced DPO services, UK and EU GDPR representation, Caldicott Guardian support, staff training and awareness programs, and an expert DPO-led data protection advice line to support your compliance efforts.
Book a consultancy