​At K.M.Medical Software, our company mission is to help build a better interaction between you and your client.  We believe that the protection of our customers’ and their end users’ data is fundamental to this mission.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation which comes into effect on 25 May 2018. GDPR will update existing data protection law and will place a greater accountability on organisations when using your personal information and give you greater control over your personal information. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether such company has any physical presence in the EU, or even whether it has any EU customers.

Our Commitment

The team at K.M.Medical Software is fully committed to complying with the requirements of the GDPR. We understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance initiative by providing you with state of the art GDPR compliant services.

Our legal and policy experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We have taken these new requirements to heart and made changes to our products, contracts and policies to ensure that we are fully in compliance with the GDPR before May 25, 2018. We are also dedicated to helping you, our customer, succeed in complying with the GDPR.

Security Measures in Our Processes

Access the risk

During the development of the software, we assessed all the risks in the processing of personal data and remediate those risks by involving mitigation processes, risk control measures. This reflects in all the aspects of our software.

Documented process

All of our processes are documented and it is auditable at any time. We take the regulations seriously and accommodate the regulations in terms of data processing.

Data Protection Impact Assessment

Data Protection Impact Assessments (DPIA) can be used to identify and mitigate against any data protection related risks arising from a new and existing project, which may affect our organisation or the individuals it engages with

  • Under the GDPR, Data protection impact assessments are mandatory for any high-risk and high sensitive data processing projects.

  • The DPIA process will allow us to make informed decisions about the acceptability of data protection risks, and communicate effectively with the individuals affected.

  • Not all risks can be eliminated, but a DPIA can allow us to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks, and assess the viability of a project at an early stage.

  • Good record keeping during the DPIA process allows us to demonstrate compliance with the GDPR and minimise the risk of a new project creating legal difficulties.

We are assessing the Data protection impact at every stage of the projects and existing processes.

ISO 27001

K.M.Medical Software Limited achieved the highest quality standard for the information security management system ISO27001 for all of its operations including the Software Development, support and the Transcription services


Encryption on the Move

All of servers and transports are encrypted with the highest industry standard encryption algorithm (256bit). This will ensure that no one is interfering your data and access it. 

Encryption on the Rest

Your data will be always stored encrypted and can be accessed only using encrypted channels. This will ensure the only intended people who have the right key along with the password can access your data. 

GDPR Accommodations in Our Software


All our software accommodates the security features that will help you to achieve the compliance with the GDPR. Our software has inbuilt features that make everything is accountable in your practice that includes the communication, digital FAX, SMS texting and emailing. All the above traffic and communication methods are fully encrypted and processed within Ireland. We have some added functionalities in our software as listed below


Whenever you are storing your patient’s sensitive healthcare information, you have to get the consent from them regarding the purpose of getting and storing their data, sharing information and their communication preferences. We built those forms and they are readily available for our clients. Those consent forms include the processing of children’s data’s as well.

Access to personal data

As per the GDPR, the patient is the owner of their data. So, you have to provide them with the access to their data for the Integrity of the data and for the transparency of the sharing of the patient records.

We provide the patient portal to our clients, that you can share the data with respective patients. 

Secured access

The software only allows the persons intended to use the software. The password should be changed periodically with the complex character requirements.

Auditing Capabilities

We are logging everything in our software and we are using the following features to provide extra safety. There is a reporting and real-time information available when the data was accessed from where and who accessed the data. This feature will enhance the monitoring of the activities when it comes to sensitive data.

Dual factor Authentication

With 2-Step Verification, you’ll protect your account with something you know (your password) and something you have (your phone or Security Key).

Geographical limit

Our software and servers are limited to allow access only within Ireland. This reduces the attack vector 90%. If you need to access, you have to contact us and provide your information.

Backup and restore

Managed and Automated backup and restore processes reduce the stress and worry regarding your data. Our processes are fully secured and the backup is stored in Offsite, but within Ireland only.

Stored and processed in Ireland

All of your data are stored and processed only within Ireland. Our support team doesn’t have the access to your data. We will explicitly notify in the agreement (model contract) if there is any offshore processing involved. 

Data Portability

You can get all of your patient’s information in portable format whenever needed. There might be a small fee for providing all the data. But we are not charging for individual data.

Data Subject Access Requests

 It is very easy to manage all data access requests from your clients and you can export patient information and notes to ensure that they can easily be completed within the time in a single click.

Right to forgotten

The right to be forgotten requests that you may receive from your clients can anonymise and delete their information from the system in a single click and it is very easy to use. 


What you have to do in your part?


Data Controller

You are a data controller who controls and is responsible for the keeping and use of personal information on our system or on the computer or in structured manual files.

The data is collected and stored by you and responsible for the data. You are the Data controller as per the Data Protection Act and GDPR.

Data Processor

The processor process the personal data, but do not exercise responsibility for or control over the personal data. The data processor process the personal data on behalf of the Controller. K.M.Medical Software is a data processor who stores and processes the data on your behalf

Processing of Personal Data

As a data processor, we must only process personal data on the instructions of the Data Controller, you. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction as per the data controller’s wish.


Getting your practice into the Compliance

There are Several steps involved in the process which we have listed below. We compiled the details and listed them below.

Implementation Phases

Establish the project

Start implementing the Project
Download the EU GDPR full text (try here if you really want to understand)
Conduct the GDPR Readiness Assessment to help you determine the GAP to achieve the compliance
Organise a kick-off meeting with your employees.

Develop top-level policies

Establish the EU GDPR Personal Data Policy Framework.
Write the Personal Data Protection Policy.
Write the Employee Personal Data Protection Policy.
Write the Data Retention Policy.

Organise your data protection

Appoint a Data Protection Officer.
Define the Data Protection Officer’s job description.

Build up data inventory

Write the Inventory of Processing Activities.
Maintain and update the Inventory of Processing Activities.

Managing data

Define the legal basis of the company to process personal data,
and whether you need consent from the data subjects.

subject rights

Define data subject rights.
Define and implement data subject consent forms.
Define and implement the Data Subject Access Request
Procedure and develop a guide outlining how to deal with the requests.

Data Protection Impact Assessment (DPIA)

Define and write the Data Protection Impact Assessment Methodology (DPIA).
Maintain the DPIA Register.
Set up a DPIA review schedule.

Personal data transfers

Develop the Cross-Border Personal Data Transfer Procedure.
Identify all of your suppliers based outside the European Economic Area (EEA) that will have access to personal data.
Prepare and sign Data Transfer Agreements for all identified suppliers outside of the EEA.

Third-party compliance

Identify the suppliers that process personal data on your behalf (data processors).
Prepare and sign agreements with data processors to ensure they will act based on your instructions and will comply with EU GDPR.

Personal data protection

Identify and implement adequate security measures to protect personal data.
Test and review the implemented measures on a regular basis.

Handle data breaches

Identify the key stakeholders and establish your “Data Breach Response Team.”
Establish a process to evaluate a data breach, and to notify the Supervisory Authority and data subjects.
Establish a process to respond to a data breach.
Maintain a record of all data breaches.


Presentations and Training
Define which competencies your employees need.
List the training your employees should attend.
Develop a training plan for the next few months.
Perform periodic security awareness training for all of your employees.

How can we help?

We can help you on every stage of the GPPR compliance implementation. Please contact us to get more information.



Your right to restriction

All the data’s are stored in our system securely and if you discontinue the services, we will give the option of getting your data back. Also, we won’t store the data that we are not in the agreement.

Data processing agreement


The data processing agreement will be accompanied by the SLA and it covers all the terms of the data processing and our processes as well as the sub-process information.




Breach obligations

If there is any breach on our systems, we are obliged to inform you within 72 hours. You can contact our DPO regarding this information.