The General Data Protection Regulation, or GDPR, is Europe wide law and came into force on 25th May 2018. The UK have implemented this using the Data Protection Act 2018 which replace the former Data Protection Act 1998. The new act brings new elements and significant enhancements to strengthen the data protection for individuals and also unify this across the European Union.
What ToHealth Ltd. have done in order to be compliant.
We have been working on being GDPR compliant since December last year. As an organisation handling special category health data, we have always taken handling and protecting that data extremely seriously and have passed the strict information governance and security requirements for connection to the NHS network ( N3) for the last 7 years.
We have reviewed and have followed the information commissioner’s office guidelines for the implementation of GDPR and taken the following actions.
• We have updated our data flows and data maps to ensure that we meet GDPR requirements.
• We have ensured all our staff are trained and meet the NHS training requirement on data security awareness.
• We have allocated our existing information governance lead to the role of data protection officer.
• We have reviewed and updated all our consent and privacy notices against ICO checklists to make sure they meet GDPR requirements.
• We have ensured the rights of the individual are clearly communicated.
• We have ensured that our data retention periods are suitable for the records being held.
• We have reviewed our subject access request procedures to ensure that they meet the new timing requirements specified in GDPR
• We have updated our policies and procedures to meet our GDPR obligations.
• We have reviewed our IT and platform security and used a CREST certified penetration testing company to test our proprietary platforms.