Learn more about community pharmacy
Contact Us

Search Suggestions

Childhood Flu Vaccination ServiceAdult Flu Vaccination ServicePharmacy Quality SchemePharmacy First servicePrice ConcessionsSerious Shortage Protocols (SSPs)
Print Page

Pharmacies urged to be alert to GDPR themed scam emails

||
Wednesday 11th February 2026

Community Pharmacy England is aware of a recent increase in scam emails being sent to community pharmacies.

Some of these messages falsely claim that the pharmacy is under investigation for a data protection or GDPR compliance breach.

These emails can appear convincing at first glance. However, they often feature significant warning signs and should be deleted without responding.

Typical features of the scam:

  • May be sent from free webmail accounts, such as Gmail, rather than official domains used by the NHS, the Information Commissioner’s Office
  • Claims that the pharmacy is subject to a mandatory GDPR investigation
  • Threats of urgent deadlines or potential enforcement action
  • When you hover over a link (without clicking it) on a desktop, you can see the real  web address does not match the ‘displayed’ one, and seems suspicious

What pharmacies should do when suspicious of an email

  • Do not open any attachments
  • Do not click links
  • Mark it as spam and/or delete
  • Report suspicious messages to report@phishing.gov.uk
  • If the message arrived via an @nhs.net inbox, use the nhs.net phishing reporting function

Key reassurance for pharmacy teams

The ICO, the UK’s independent body responsible for upholding information rights, promoting data privacy for individuals, and enforcing data protection laws, does not initiate regulatory action through unsolicited emails sent to general inboxes.

NHS England and the Department of Health and Social Care would never direct pharmacies to respond to a private company regarding a GDPR investigation.

The emails have led to some pharmacy owners questioning if the nominated DPO must be independent.

Pharmacies should have a DPO, and if they have not appointed one, this must be actioned.

NHS England advice states:

“ICO advice is when a Pharmacy Manager (or staff member) becomes a DPO, the decision and reasons behind it should be documented and retained as part of the ‘accountability’ that GDPR requires. They also said, where possible, that any conflicts of interest between a person’s current role and that of DPO should be recorded along (again where possible) with mitigating measures to reduce or even eliminate such conflicts. Where they have to deal with a small public authority with the requirement for a DPO to be appointed, they intend to be as pragmatic as they can be.”

We have some information about DPOs on our GDPR and data security roles pages and within our Data Security and Protection Toolkit (DSPTK) guidance.

Support

Community Pharmacy England will continue to monitor this activity and inform NHS cyber and NHS.net Connect (formerly NHSmail) colleagues to support pharmacy teams remain as protected as possible.

||
Wednesday 11th February 2026

Latest News

MHRA Drug Safety Update: IXCHIQ Chikungunya vaccine – updates to restrictions of use following safety review

Discontinuation of FreeStyle® Libre 3 Sensor

Medicine Supply Notification: Sulfadiazine silver (Flamazine®) 1% cream

Top Stories

Introduction of new Drug Tariff Part VIIIA Category: Category H

Pharmacies hanging on by a thread on busiest day of the year

Upcoming CPCF negotiations the focus at November meeting