From 25 May 2018 the General Data Protection Regulation (GDPR) will require that organisations who process personal data comply with the obligations set out within the regulation.
At McKesson UK we are proud to provide high quality healthcare services to our customers. Data Protection legislation is not new to us and we have been complying with the Data Protection Act since 1998. The GDPR raises the benchmark for data protection compliance and we will achieve these stringent new standards.
In June 2017 we recruited a Data Protection Officer and undertook a data protection audit and GDPR gap analysis. We put in place a project to ensure that we are compliant with the GDPR by 25 May 2018. We have full support from the UK Board of Directors and a team of data protection champions across the whole organisation.
We have implemented both technical and organisational measures to prepare for the new legislation. Reviews have been undertaken of all our systems and applications and remedial action taken where necessary to keep personal data secure.
We are confident that we can demonstrate our accountability and compliance. Our Data Protection policies and procedures have been reviewed and updated to reflect the changes required under GDPR. We have reviewed and amended our third party contracts and data subject consents.
Article 30 of the GDPR requires specific records to be kept of data processor activities. We have data inventories across all of our business areas to map what personal data we hold on behalf of data subjects, where it comes from, who we share it with and what we do with it. This provides us with the foundation of our GDPR compliance.
We have always promoted a positive culture of data protection and compliance. This has been improved through awareness and GDPR training for all staff.
The GDPR requires us to notify any security incident or breach and we have a process in place to achieve this.
The GDPR improves data subjects’ rights. We have a process in place to respond to all data subject requests for access to their information.
We are not stopping on 25 May 2018. We have already planned how we will monitor and report on our compliance. We will ensure that we continue to securely process personal data.
If you have any questions about GDPR, please contact our Data Protection Officer firstname.lastname@example.org