One of the most frequent questions we get asked is:
“Is WriteUpp GDPR compliant?”
Obviously this question could relate to any practice management system and its a fair question given the amount of mis-information that is floating around. However, its one that we feel we need to answer carefully and precisely.
First, let me be 100% clear – we will comply with GDPR when it takes effect in May 2018. However, “compliant” implies a level of ratification that doesn’t exist. Before (or after) May 2018 no one is going to be certified against GDPR. Whether you’re a data controller or data processor it is your responsibility to comply with the regulation based on:
- your interpretation of the regulations
- the applicability of the regulations to your specific business
- your assessment of the risks associated with recording and processing personal data
We’re not for one second suggesting that you should be complacent in any way, however, I think it’s important to make it clear that there isn’t a box you can tick anywhere and say “yes” I (as a data controller) or we (as a data processor) are compliant.
If you (as a data controller) want some kind of assurance about your data processor we would recommend taking a look at the relevant international standards. There are a number that touch on or relate to GDPR but your starting point should probably be ISO27001: Information technology — Security techniques — Information security management systems — Requirements
Here’s the official definition from the ISO (International Standards Organisation):
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”
Given the standard’s scope and the fact that it requires ongoing auditing and certification we feel it provides you (as a data controller) with a good measure of a processor’s ability to protect the integrity of your data. For this reason, it’s probably the closest you will get to a tick in a box, but do keep in mind that ISO27001 and GDPR are not the same thing. It will also greatly help your case (in the event of a breach or complaint) if you can demonstrate that you have taken appropriate measures by, for example, requiring your data processor to be ISO27001 certified.
Here at WriteUpp, we have chosen to seek ISO27001 accreditation to give extra peace of mind to our clients as we move towards the GDPR deadline. We have engaged with QMS International to assist us in the certification process and having completed the Stage 1 process we expect to be certified against ISO27001 shortly before GDPR takes effect.