When GDPR takes effect on 25th May 2018 we will:
- have appropriate measures and protections in place to comply with our responsibilities as a "data processor"
- provide a suite of tools to help you (as a clinician) comply with your responsibilities as a "data controller". To be clear there is no requirement for us (as the data processor) to do this but we feel very strongly that GDPR is a positive piece of legislation and as such we want to do everything we can to help with good data governance
However, please be aware that the word “compliant” implies a level of ratification that doesn’t exist. Before (or after) May 2018 no one is going to be certified against GDPR. Whether you’re a data controller or data processor it is your responsibility to comply with the regulation based on:
- your interpretation of the regulations
- the applicability of the regulations to your specific business
- your assessment of the risks associated with recording and processing personal data
We’re not for one second suggesting that you should be complacent in any way, however, we think it’s important to make it clear that there isn’t a box you can tick anywhere and say “yes” we are compliant.
If you (as a data controller) want some kind of assurance about your data processor we would recommend taking a look at the relevant international standards. There are a number that touch on or relate to GDPR but your starting point should probably be ISO27001: Information technology — Security techniques — Information security management systems — Requirements
Here’s the official definition from the ISO (International Standards Organisation):
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Given the standard’s scope and the fact that it requires ongoing auditing and certification we feel it provides you (as a data controller) with a good measure of a processor’s ability to protect the integrity of your data. For this reason, it’s probably the closest you will get to a tick in a box, but do keep in mind that ISO27001 and GDPR are not the same thing.
Here at WriteUpp, we have chosen to seek ISO27001 accreditation to give extra peace of mind to our clients as we move towards the GDPR deadline. We have engaged with QMS International to assist us in the certification process and expect to be certified against ISO27001 shortly before GDPR takes effect.
Need More Help?
We understand that not everything is black and white, so if you need some help, click "Submit A Request" ticket and one of our team will help you out as soon as possible.