GDPR Compliance at HealthTrust Europe
What is GDPR?
The General Data Protection Regulation (GDPR) provides significant updates to existing data protection laws and applies to all EU Member States from 25th May 2018.
The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects. The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
What is HealthTrust Europe doing for GDPR?
Ensuring and maintaining the security and safety of personal and/or special category data belonging to the individuals with whom we deal with is paramount to our company ethos. HealthTrust Europe adheres to the GDPR and its associated principles in all processes and functions. Our parent organisation HCA Healthcare UK has appointed a Data Privacy Officer who oversees the implementation of the GDPR within our corporate group; and our programme is well underway to ensure that we are ready for the new legislation when it takes effect. This includes but is not limited to the following activities:
We have revised our contracting procedures to ensure that our agreements are compliant with GDPR, and have undertaken remedial action regarding existing contracts where necessary. When HealthTrust Europe undertakes a contracting exercise, a number of due diligence checks are undertaken which have now been expanded to include data protection considerations.
To comply with the GDPR, we now include Data Protection Impact Assessments (DPIA) in relevant contracting processes so that our customers can be assured that personal data has adequate protection when in the hands of our Suppliers. In all cases where personal data is being processed by one of our Suppliers, we ensure that appropriate terms and conditions are in place.
Data Impact Assessments and Data Inventory
We have undertaken a systematic review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records. Assessments of the data review information flow, any data transfers, risk reviews, and structural position in relation to lawfulness, purpose, minimisation, accuracy, consent, limitation, integrity and confidentiality, record keeping and accountability have been undertaken throughout our organisation.
We have reviewed and updated our corporate policies including but not limited to our Data Breach Policy, Business Continuity Plans, DPO appointment, Subject Access Requests, Individuals Rights and ICO Good Practice.
Training and Awareness
We have provided extensive training on the GDPR to ensure that our staff understand its impact on our policies, procedures, and so that staff protect personal data in accordance with those requirements.
Supplier and Partner relationships
Where appropriate, we ensure that third parties and especially our Suppliers have in place appropriate policies, procedures and standards in order to ensure compliance with the GDPR.
We have reviewed our technology platforms to analyse their operation, security and compliance to ensure that they meet the standards we have laid down and identify any gaps and risks.
Data captured via web forms require visitors to complete an opt-in checkbox – providing explicit consent for the use of their data regarding marketing activities. We use this data to understand our customer and prospective customer preferences so we can contact them with relevant products and services that we feel would be of interest and of value to them. HealthTrust Europe will use this information to contact customers and prospective customers via phone, email and/or direct mail.
We operate a straightforward process for updating contact preferences and/or withdrawing consent by contacting our Customer Care team on 0845 887 5000 or by emailing firstname.lastname@example.org.
Data Breach Notification
HealthTrust Europe operates a clear Incident reporting policy. Although HealthTrust Europe does not accept third party personal information, we work closely with our Customers and Suppliers to ensure data shared is GDPR compliant. We also implement contractual requirements on any third-party data processors we appoint to process data on our behalf.
We have dedicated resource who are responsible for policies, procedures, controls and measures to ensure continued compliance with the GDPR and its principles – we will be reviewing this on an ongoing basis.
HealthTrust Europe is registered with the Information Commissioner’s Office and appears on the Data Protection Register with registration number is Z2686800.
Our GDPR compliant contracts give you peace of mind whilst sourcing the products and services you need.
View our portfolios by clicking below: