General Data Protection Regulations (GDPR)

Summary

Health Assured has long been committed to keeping our clients’ data private and secure. We want to reinforce this commitment as we move towards compliance with the GDPR, Health Assured currently complies with all legislation relating to Data Protection.

What is GDPR?

On the 25th May 2018, the data protection system across the EU (including the UK) will change. GDPR will replace the provisions of the Data Protection Act 1998 (DPA). The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals, known as Data Subjects. The following are the new rights for individuals under GDPR: 1. Right to be informed 2. Right of access 3. Right of rectification 4. Right to erasure 5. Right to restrict processing 6. Right to data portability 7. Right to object 8. Rights in relation to automated decision making and profiling

Health Assured GDPR Statement

Health Assured are committed to achieving compliance with GDPR prior to the implementation of the Regulation in May 2018. We are taking many steps across the entire business to ensure we will be ready for GDPR. We are identifying what personal data we hold for our customers, why we hold it, where it is stored and for how long. We are already compliant with the Data Protection Act and our compliance with GDPR will build on this foundation. Below is an overview of our GDPR roadmap and progress so far: • Board approval and support from the whole business to undertake this important work – COMPLETE • Thorough audit of all areas of our business, products and services which are likely to be impacted by GDPR – COMPLETE • Identify all systems and locations that hold personal data to ensure we know whether that data is held, why we hold it and for how long – COMPLETE • Develop a strategy and requirements for how to address the areas impacted by GDPR – COMPLETE • Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – IN PROGRESS • Ensure that all members of the business are educated and informed about GDPR and the changes that will be required by our business – IN PROGRESS • Test all of our changes thoroughly to verify and validate compliance with GDPR – IN PROGRESS • Finalise and communicate our full compliance prior to the deadline – TO BE ANNOUNCED PRIOR TO 25th May 2018

Consent

Consent is not required where the personal data is necessary for an employment contract, necessary to fulfil a legal obligation, for vital interests (life and death), in an official authority or the public interest or for a legitimate interest (things you choose to do but you must have a good reason for doing it). • Consent must be given unambiguous, freely given, demonstrable (written records), specific and informed. • Opt out is not consent nor is silence assumed as consent. • Consent must be as easily to withdraw, as it is to give. No imbalance must exist between the data subject and the data controller for consent.

Accountability and Record Keeping

• Need to ensure the relevant documentation is in place e.g. data protection and privacy policies. • Carry out data protection impact assessments. • Inform and train everyone on how to implement policies. • Responsibility at the highest level for monitoring implementation of policies. • Procedures for addressing breaches. Maintain records of: • The name and contact details of the data controller and the Data protection Officer (DPO) where necessary, the purpose for processing data. • Description of categories of data subjects and categories of personal data. • If it has been shared with whom. • If it is being transferred out of the EU. • Time limits to erase data (retention policy). • Description of security measures in place.

Data Protection Officer

Health Assured will be appointing a DPO – due to the size and nature of processing within the Group. The DPO will: • Have “expert knowledge” of data protection law and to advise the data controller. • Be involved in all issues which relate to the protection of personal data. • Be required to attend regular training. • Be involved in data protection impact assessments.

Next Steps

We are currently reviewing our data security, privacy policies and processes to ensure that we are not only compliant but go further to ensure that your data is safe with us. Based on the research conducted both internally and externally, we are confident that the measures we have introduced will meet the requirements of GDPR.

Make your enquiry

Please complete the form below and we'll be in touch to answer your enquiry

View our privacy notice here.

Get your free consultation

Please complete the form and we'll be in touch to schedule your free consultation

View our privacy notice here.

An error occurred

We appologise but an error has occurred submitting your form. Please try again.

Thank you for getting in touch

We will aim to respond as soon as possible.