Introduction

The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018 bringing with it wide ranging changes and new responsibilities for organisations that process personal data. These changes will affect all organisations which hold or process personal data, including PrecisionMeds (PM).

This statement outlines the anticipated impact on PM and our approach to ensuring our compliance with the new legislation.

Are we a data controller or a data processor?

A ‘data controller’ is an entity that controls how and why personal data is processed and a ‘data processor’ uses, handles or works with the data under the instruction of the controller. Therefore, PM is a data processor for existing data privacy legislation and GDPR. PM is also a data controller in that we store and manage data about our customers, suppliers and staff.

How does the GDPR affect us?

The GDPR affects PM in its capacity as a data controller for the information we store and manage about our customers, suppliers and staff. However, our core business is providing commercial rebate and cost effective medicines optimisation insight to the NHS on behalf of manufacturers. In this respect we process data under the instruction of a data controller and therefore we are a data processor. Consequently, we must take heed and be compliant with the requirements for both data controllers and processors.

How are we compliant?

PM has always taken its responsibility for information security and data protection seriously. Consequently, we have always operated high standards of information security and data protection and we are committed to maintaining those high standards.

Our compliance

PM has undertaken an analysis of our existing controls against the GDPR’s requirements to understand where they need to be augmented or where additional controls need to be introduced.

PM has used the output from this analysis to inform and establish a GDPR compliance programme which includes the following key activities:

A review of all data processing activities including confirmation of our lawful bases and purposes for processing data, where data resides, how data is secured and who can access or change data.

• Refreshing our staff Data Privacy Awareness Training

• Updates to our internal security processes to meet GDPR requirements including processes associated with data subject rights, personal data breach response, privacy by design and third-party compliance

• Updates to internal policies, procedures and privacy notices. A review of the contractual/data sharing terms between PM and our clients and suppliers

• PM has also appointed a Data Protection Officer (DPO) with responsibility for advising and monitoring our compliance with all applicable data protection laws.

Our Clients’ compliance

PM is acutely aware that customers trust us and our service solutions to protect their data. We therefore commit to ensuring that the security of our customer’s data continues to be at the forefront of everything we do.

PM understands the importance of informing our customers of any incidents or breaches that affect their data. PM is confident that our technical and organisational measures significantly reduce the risk of data breaches however, in the unfortunate event that a breach does occur, we are prepared to provide timely notification to customers and to assist with any ensuing investigation.