GDPR took effect on 25th May 2018

we have appropriate measures and protections in place to comply with our responsibilities as a "data processor"
we provide a suite of tools to help you (as a clinician) comply with your responsibilities as a "data controller". To be clear, there is no requirement for us (as the data processor) to do this but we feel very strongly that GDPR is a positive piece of legislation and as such we want to do everything we can to help with good data governance

However, please be aware that the word “compliant” implies a level of ratification that doesn’t legally exist. No one can be certified against GDPR. Whether you’re a data controller or data processor it is your responsibility to comply with the regulation based on:

your interpretation of the regulation
the applicability of the regulation to your specific business
your assessment of the risks associated with recording and processing personal data

We’re not suggesting that you should be complacent in any way, however, we think it’s important to make it clear that there isn’t a box you can tick anywhere and say “yes” we (or you) are compliant.

If you (as a data controller) want assurance about us as your data processor we would recommend taking a look at the relevant international standards. There are a number that touch on or relate to GDPR but your starting point should probably be ISO27001: Information technology — Security techniques — Information security management systems — Requirements

Here’s the official definition from the ISO (International Standards Organisation):

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Given the standard’s scope and the fact that it requires ongoing independent auditing and certification we feel it provides you (as a data controller) with a good measure of a data processor’s ability to protect the integrity of your data. For this reason, it’s probably the closest you will get to a tick in a box, but do keep in mind that ISO27001 and GDPR are not the same thing.

Here at WriteUpp, we are ISO27001 accredited, our certificate number is 275372018. Below is copy of our certificate:

Was this article helpful?
Cancel
Thank you!