In last week's blog, we discussed the important questions GDPR (EU 2016/679) raises for clinical trials and clinical technology companies ahead of the GDPR effective date of 25th May, 2018. This week, we share the steps Longboat has taken to we meet the requirements mandated by the GDPR, so we continue to ensure that our data subjects and clients can rest easy that we are doing everything required under the new regulation to keep personal data secure and private.
1. Engaging the services of privacy consultants
As soon as GDPR came onto our radar, we engaged the services of a well-recognized privacy consultancy firm and conducted a thorough privacy review relating to all personal data that Longboat holds. This review took into account all 7 principles of the GDPR as well as privacy best practices. As a result, we identified areas regarding user privacy/personal data requiring mitigation to ensure GDPR compliance.
2. Lawful, fair, and transparent processing/purpose limitation
3. Data minimization
We have undertaken a ‘data minimization review’ to verify that the amount of personal data we are requesting from our data subjects is necessary and appropriate (and are removing fields and data that we have deemed surplus to requirements/business need). We are also currently making changes to our platform to add additional transparency for data subjects at the point of data collection; this will explain why Longboat requests certain personal data from data subjects, and how that data is processed.
4. Accuracy and up-to-date processing
We provide the facility within our platform for data subjects to manage their own personal data/notification preferences and keep them accurate and up-to-date via their “My Account” facility.
5: Limitation of storage in a form that permits identification
We limit storage of personal data in a form that permits identification of an individual. We use various technical controls to achieve this, such as encryption, data segregation, restriction of access to personal data, secure data transfer mechanisms, etc. Existing data retention policies have been reviewed and revised in line with best practices, ensuring we only keep data for the minimum amount of time required for the fulfillment of the contract and/or regulatory obligations. If copies of data are generated (e.g., during back-ups), they are stored in a format that does not identify an individual (encrypted) and back-up media are cycled regularly so that data is not stored on back-up media for longer than needed.
6. Confidentiality and security
We use industry best practices and standards, and conduct regular security risk assessments and vulnerability reviews, to ensure ongoing security of data. We also only choose secure ISO-27001-certified data centers for hosting of data. Where data is passed to third parties, GDPR compliance is taken into account as an important criterion when selecting such vendors, and we verify that any third-party processors we pass personal data to are providing assurances that this data is kept secure and confidential, and that they can comply with GDPR requirements and the rights of data subjects under GDPR. In such cases, third-party processor contracts that meet the mandated clauses required by GDPR have already been put in place. Longboat reviews the performance of our third-party processors periodically to ensure ongoing compliance with data privacy requirements/requests.
7. Accountability and liability
We have conducted a privacy impact assessment (PIA) relating to all personal data we hold. Any risks identified by the PIA have been mitigated and we have put in place processes to trigger new PIAs in the event of changes that may impact Longboat’s processing of personal data. This ensures that potential risks to privacy are identified and mitigated on an ongoing basis.
We have documented all of our processing activities involving personal data in a processing log (required to be available for the Commissioner’s review upon request under the new regulation) and we have put in place robust processes to ensure we are able to address the rights of data subjects under GDPR in a timely fashion, with fully auditable records of such requests.
All Longboat staff have already received comprehensive training on data privacy and security awareness, and we will continue to enhance that training and awareness for our staff on an ongoing basis. Employee sanctions have also been put in place to ensure that all Longboat staff are aware of the importance of keeping personal data we hold secure and private, and to ensure they are aware of the consequences of not doing so.
9. Disaster recovery plans
Lastly, we have regularly tested disaster recovery plans in place, ensuring that data is recoverable at all times.
Having taken the steps above and gone through this process, the apprehension we initially felt when addressing the regulations has been replaced with genuine appreciation of the legislation and how it benefits Longboat, our clients, and the site staff, patients, and project teams using our system.