The General Data Protection Regulation, or GDPR, is Europe wide law due to come into force on 25th May 2018. It will replace the current Data Protection Act 1988. Whilst many of the new legislation’s main concepts and principles are aligned with the current DPA, there are new elements and significant enhancements to strengthen the data protection for individuals and also unify this across the European Union.
What are ToHealth Ltd. doing to prepare.
We have been working on being GDPR compliant since December last year. As an organisation handling very sensitive health data, we have always taken handling and protecting that data extremely seriously. We feel the improvements required are less for us than they would be for those in other industries. We have reviewed and are following the information commissioner’s office guidelines for implementing GDPR. The activity to date has been to
- Review all data flows and data mapping to ensure that we meet GDPR requirements.
- Ensure all our staff are trained meet the NHS training requirement on data security awareness.
- Allocate our existing information governance lead the role of data protection officer.
- other information relevant to customer surveys and/or offers
We are currently:
- Reviewing all our consent and privacy notices against checklists to make sure they meet GDPR requirements.
- Ensuring that our data retention periods are suitable for the records being held.
- Reviewing our subject access request procedures to ensure that they meet the new timing requirements specified in GDPR.
- Updating our policies and procedures to meet our GDPR obligations.
We have been conducting due diligence on our 3rd party suppliers regarding GDPR and are monitoring their statements regarding progress towards compliance. We are using a CREST certified penetration testing company to test our proprietary platforms.
ToHealth are fully committed to implementing full GDPR compliance by the 25th May 2018. ToHealth continue to maintain high standards in data privacy and protection and meet our obligations under the existing data protection act. ToHealth are compliant with the strict information governance and security requirements for connection to the NHS network (N3) and have passed the annual assessment for the last 7 years. As part of our ongoing activity to incorporate GDPR requirements in our security programme we are reviewing our current processes and procedures and updating them where necessary. We expect the review and any subsequent actions to be complete by May 2018.