Computer Services Ltd (JAC) works with 130+ NHS Trusts and Health Boards in the UK. The team has over 30 years of proven clinical pharmacy expertise; its industry leading clinically-led software platform ‘One:MedicinesPlatform’ supports customers with closed loop pharmacy management, electronic prescribing and chemotherapy management as a single integrated application.
JAC is privy to significant volumes of sensitive personal data (medical records) in the course of their day to day operations. Under the GDPR, sensitive personal data such as patient medical records have more onerous requirements placed on their use and processing. With data protection being core to its business operations and vital to maintain trust of the NHS as its main customer, JAC sought professional consulting advice from Gemserv.
Gemserv worked with JAC to initially deliver a ‘Health Check’ of its GDPR compliance. Led by our experienced team of data protection consultants, we were able to bring in-depth knowledge to the fore in this project, quickly gaining an understanding of the expectations of JAC’s key commercial customer (the NHS) as well as the data subjects whose personal data would be involved in JAC’s processes. Our consultants’ first port of call was to de-mystify and encourage a risk-based approach which the business could buy-into and understand at multiple levels. This was an important factor in ensuring that all key stakeholders were engaged in the project from the outset.
Main areas of priority for JAC were:
- In depth review and audit to confirm JAC’s position within key contracts as data processor / data controller;
- Expert guidance to support JAC’s product development; and
- Expert guidance in relation to policy production and more importantly, effective implementation.
To support JAC in its GDPR programme of work, Gemserv put in place a temporary Virtual Data Protection Officer (vDPO) support service until such time as JAC were able to identify and train a DPO of its own. This comprehensive service contract provided advice and support on a free-flowing basis during the build up to GDPR coming in to force and beyond. JAC benefited from practical and legal advice on the following:
- Maintaining a risk-based approach to GDPR compliance;
- Practical implementation of policies and procedures;
- Training for staff with varied levels of data protection and compliance experience;
- Advice on new policies and procedures as required based on legislation or business changes;
- Expert advice on international data transfers and data protection matters in preparation for Brexit;
- Liaison with Data Protection Authorities;
- Privacy by design and privacy impact assessment advice; and
- Support in 3rd party supplier / data processor due diligence and on-going management.
This support was provided through a combination of on-site and telephone support and email helpdesk which enabled JAC to submit a significant volume of requests, particularly during the early stages of its GDPR journey. Requests were dealt with promptly by the vDPO team of experienced data protection consultants dedicated to supporting JAC.
Gemserv’s passion for the subject matter and responsive nature during the early stages of the project, and once GDPR had come into effect, has enabled JAC to own issues and enabled the company to learn and implement its own solutions.
JAC feel that the GDPR programme is progressing smoothly and the team is more comfortable with dealing with the regulation and the challenges that it can bring across the organisation. Within the first 6 months of our vDPO contract, JAC has benefitted from significant knowledge transfer – its teams benefitting from increased confidence and experience with dealing with Data Protection issues. As a result, and mark of Gemserv’s value, JAC are now in a position where it feels capable to manage its data protection capability in house.
“With the GDPR Regulation on the horizon at a time of a demanding business agenda JAC elected to commission expert support and guidance to ensure compliance was achieved by the due date. After some consideration JAC selected to engage Gemserv as its partner in the preparation and production of the necessary documentation to ensure JAC was compliant with the Regulation and, more importantly, was able to evidence this status. With the short timeline the early activity was in the fast lane and at times it felt an impossible goal. Fortunately, Gemserv were confident that together the goal would be achieved. JAC reached GDPR compliance in good time and to the satisfaction of all concerned. I feel inclined to end with the well-known phrase ‘when the going gets tough, the tough get going”.
Maureen Little RMN RGN RM RCNT
JAC Clinical Safety and Compliance Manager
“Upon initial engagement with Gemserv we had 4 months to get to a state of GDPR compliance by the deadline of the 25th May 2018. The prompt service delivered by Gemserv during this short time meant that we were able to meet this date. We had two dedicated members of Gemserv assigned to our project who were both polite, accommodating and experts in this field. As a result, in the transfer of knowledge the team at JAC is now in position where it is confident to manage outstanding data protection issues internally and would like to thank Gemserv for all the help and support received throughout this project”.
JAC Contracts and Compliance Officer