GDPR Statement
Introduction
The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018 bringing with it wide ranging changes and new responsibilities for organisations that process personal data. These changes will affect all organisations which hold or process personal data, including Safe Dispenser Ltd (SDL).
This statement outlines the anticipated impact on SDL and our approach to ensuring our compliance with the new legislation.
Are we a data controller or a data processor?
A ‘data controller’ is an entity that controls how and why personal data is processed and a ‘data processor’ uses, handles or works with the data under the instruction of the controller. Therefore, SDL is a data processor for existing data privacy legislation and GDPR. SDL is also a data controller in that we store and manage data about our customers, suppliers and staff.
How does the GDPR affect us?
The GDPR affects SDL in its capacity as a data controller for the information we store and manage about our customers, suppliers and staff. However, our core business is providing commercial rebate and cost effective medicines optimisation insight to the NHS on behalf of manufacturers. In this respect we process data under the instruction of a data controller and therefore we are a data processor. Consequently, we must take heed and be compliant with the requirements for both data controllers and processors.
How are we compliant?
SDL has always taken its responsibility for information security and data protection seriously. Consequently, we have always operated high standards of information security and data protection and we are committed to maintaining those high standards.
Our compliance
Prior to the GDPR, SDL implemented company-wide information security and data protection controls through its ISO certified Information Security Management Systems (ISO9001 and ISO27001).
SDL has undertaken an analysis of our existing controls against the GDPR’s requirements to understand where they need to be augmented or where additional controls need to be introduced.
SDL has used the output from this analysis to inform and establish a GDPR compliance programme which includes the following key activities:
A review of all data processing activities including confirmation of our lawful bases and purposes for processing data, where data resides, how data is secured and who can access or change data.
- Refreshing our staff Data Privacy Awareness Training
- Updates to our internal security processes to meet GDPR requirements including processes associated with data subject rights, personal data breach response, privacy by design and third-party compliance
- Updates to internal policies, procedures and privacy notices. A review of the contractual/data sharing terms between SDL and our clients and suppliers
- SDL has also appointed a Data Protection Officer (DPO) with responsibility for advising and monitoring our compliance with all applicable data protection laws.
Our Clients’ compliance
SDL is acutely aware that customers trust us and our service solutions to protect their data. We therefore commit to ensuring that the security of our customer’s data continues to be at the forefront of everything we do and demonstrating this commitment by continuing to submit our ISMS for external validation against ISO 27001 and other industry standards.
SDL understands the importance of informing our customers of any incidents or breaches that affect their data. SDL is confident that our technical and organisational measures significantly reduce the risk of data breaches however, in the unfortunate event that a breach does occur, we are prepared to provide timely notification to customers and to assist with any ensuing investigation.