At K.M.Medical Software, our company mission is to help build a better interaction between you and your client. We believe that the protection of our customers’ and their end users’ data is fundamental to this mission.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation which comes into effect on 25 May 2018. GDPR will update existing data protection law and will place a greater accountability on organisations when using your personal information and give you greater control over your personal information. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether such company has any physical presence in the EU, or even whether it has any EU customers.
Access the risk
During the development of the software, we assessed all the risks in the processing of personal data and remediate those risks by involving mitigation processes, risk control measures. This reflects in all the aspects of our software.
All of our processes are documented and it is auditable at any time. We take the regulations seriously and accommodate the regulations in terms of data processing.
Data Protection Impact Assessment
Data Protection Impact Assessments (DPIA) can be used to identify and mitigate against any data protection related risks arising from a new and existing project, which may affect our organisation or the individuals it engages with
Under the GDPR, Data protection impact assessments are mandatory for any high-risk and high sensitive data processing projects.
The DPIA process will allow us to make informed decisions about the acceptability of data protection risks, and communicate effectively with the individuals affected.
Not all risks can be eliminated, but a DPIA can allow us to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks, and assess the viability of a project at an early stage.
Good record keeping during the DPIA process allows us to demonstrate compliance with the GDPR and minimise the risk of a new project creating legal difficulties.
We are assessing the Data protection impact at every stage of the projects and existing processes.
K.M.Medical Software Limited achieved the highest quality standard for the information security management system ISO27001 for all of its operations including the Software Development, support and the Transcription services
Encryption on the Move
All of servers and transports are encrypted with the highest industry standard encryption algorithm (256bit). This will ensure that no one is interfering your data and access it.
Encryption on the Rest
Your data will be always stored encrypted and can be accessed only using encrypted channels. This will ensure the only intended people who have the right key along with the password can access your data.
All our software accommodates the security features that will help you to achieve the compliance with the GDPR. Our software has inbuilt features that make everything is accountable in your practice that includes the communication, digital FAX, SMS texting and emailing. All the above traffic and communication methods are fully encrypted and processed within Ireland. We have some added functionalities in our software as listed below
Whenever you are storing your patient’s sensitive healthcare information, you have to get the consent from them regarding the purpose of getting and storing their data, sharing information and their communication preferences. We built those forms and they are readily available for our clients. Those consent forms include the processing of children’s data’s as well.
Access to personal data
As per the GDPR, the patient is the owner of their data. So, you have to provide them with the access to their data for the Integrity of the data and for the transparency of the sharing of the patient records.
We provide the patient portal to our clients, that you can share the data with respective patients.
The software only allows the persons intended to use the software. The password should be changed periodically with the complex character requirements.
We are logging everything in our software and we are using the following features to provide extra safety. There is a reporting and real-time information available when the data was accessed from where and who accessed the data. This feature will enhance the monitoring of the activities when it comes to sensitive data.
Dual factor Authentication
With 2-Step Verification, you’ll protect your account with something you know (your password) and something you have (your phone or Security Key).
Our software and servers are limited to allow access only within Ireland. This reduces the attack vector 90%. If you need to access, you have to contact us and provide your information.
Backup and restore
Managed and Automated backup and restore processes reduce the stress and worry regarding your data. Our processes are fully secured and the backup is stored in Offsite, but within Ireland only.
Stored and processed in Ireland
All of your data are stored and processed only within Ireland. Our support team doesn’t have the access to your data. We will explicitly notify in the agreement (model contract) if there is any offshore processing involved.
You can get all of your patient’s information in portable format whenever needed. There might be a small fee for providing all the data. But we are not charging for individual data.
Data Subject Access Requests
It is very easy to manage all data access requests from your clients and you can export patient information and notes to ensure that they can easily be completed within the time in a single click.
Right to forgotten
The right to be forgotten requests that you may receive from your clients can anonymise and delete their information from the system in a single click and it is very easy to use.
You are a data controller who controls and is responsible for the keeping and use of personal information on our system or on the computer or in structured manual files.
The data is collected and stored by you and responsible for the data. You are the Data controller as per the Data Protection Act and GDPR.
The processor process the personal data, but do not exercise responsibility for or control over the personal data. The data processor process the personal data on behalf of the Controller. K.M.Medical Software is a data processor who stores and processes the data on your behalf
Processing of Personal Data
As a data processor, we must only process personal data on the instructions of the Data Controller, you. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction as per the data controller’s wish.
Getting your practice into the Compliance
There are Several steps involved in the process which we have listed below. We compiled the details and listed them below.
Establish the project
Start implementing the Project
Download the EU GDPR full text (try here if you really want to understand)
Conduct the GDPR Readiness Assessment to help you determine the GAP to achieve the compliance
Organise a kick-off meeting with your employees.
Develop top-level policies
Establish the EU GDPR Personal Data Policy Framework.
Write the Personal Data Protection Policy.
Write the Employee Personal Data Protection Policy.
Write the Data Retention Policy.
Organise your data protection
Appoint a Data Protection Officer.
Define the Data Protection Officer’s job description.
Build up data inventory
Write the Inventory of Processing Activities.
Maintain and update the Inventory of Processing Activities.
Define the legal basis of the company to process personal data,
and whether you need consent from the data subjects.
Define data subject rights.
Define and implement data subject consent forms.
Define and implement the Data Subject Access Request
Procedure and develop a guide outlining how to deal with the requests.
Data Protection Impact Assessment (DPIA)
Define and write the Data Protection Impact Assessment Methodology (DPIA).
Maintain the DPIA Register.
Set up a DPIA review schedule.
Personal data transfers
Develop the Cross-Border Personal Data Transfer Procedure.
Identify all of your suppliers based outside the European Economic Area (EEA) that will have access to personal data.
Prepare and sign Data Transfer Agreements for all identified suppliers outside of the EEA.
Identify the suppliers that process personal data on your behalf (data processors).
Prepare and sign agreements with data processors to ensure they will act based on your instructions and will comply with EU GDPR.
Personal data protection
Identify and implement adequate security measures to protect personal data.
Test and review the implemented measures on a regular basis.
Handle data breaches
Identify the key stakeholders and establish your “Data Breach Response Team.”
Establish a process to evaluate a data breach, and to notify the Supervisory Authority and data subjects.
Establish a process to respond to a data breach.
Maintain a record of all data breaches.
Presentations and Training
Define which competencies your employees need.
List the training your employees should attend.
Develop a training plan for the next few months.
Perform periodic security awareness training for all of your employees.
How can we help?
We can help you on every stage of the GPPR compliance implementation. Please contact us to get more information.
Your right to restriction
All the data’s are stored in our system securely and if you discontinue the services, we will give the option of getting your data back. Also, we won’t store the data that we are not in the agreement.
Data processing agreement
The data processing agreement will be accompanied by the SLA and it covers all the terms of the data processing and our processes as well as the sub-process information.
If there is any breach on our systems, we are obliged to inform you within 72 hours. You can contact our DPO regarding this information.