Our Customers
Products & Pipeline
Science & DTx
For business
About us
Contact us
US Payers

ieso and compliance with Data Protection Legislation

We take the privacy of data subjects, and compliance with data protection legislation and regulation, very seriously.

Below is a summary of actions taken to achieve compliance:

  • Appointed Data Protection Officer, Helen Simpson, who acts as the business’s expert on data protection and the main point of contact with the regulatory data protection authorities, if required
  • Created, and continually update, an Article 30 log of all processing activities that involve personal data
  • Confirmed lawful basis for processing activities, carrying out Legitimate Impact Assessments where required.
  • Completed comprehensive Data Protection Impact Assessment of core product.
  • Other Data Protection Impact Assessments completed/ in progress where triggered (e.g. Research activities)
  • Undertake risk scoring of processing activities and identify mitigations commensurate to the level of risk
  • Appropriate Breach Notification policy in place
  • Created/ improved protocols for responding to and monitoring information incidents, looking at root causes and learning from them. No reportable incidents to date
  • Created/ improved protocols for responding to and monitoring information rights
  • Regularly creating, monitoring and updating sets of Privacy Notices for different subsets of data subjects
  • Induction training for new staff and contractors includes Data Protection and information security,
  • Annual company-wide training on Data Protection and information security, and specific health data training compulsory for staff handling patient data and available optionally to all others
  • GDPR compliant Data Processing Addendums/ agreements in place and other due diligence as part of the supplier management processes were personal data involved
  • Developed standard GDPR compliant Data Sharing Agreement for contracts with other Data Controllers
  • Employing other appropriate technical and organisational measures such as maintaining ISO27001, Role Based Access Controls, encryption, pseudonymisation, data minimisation, retention management procedures (including deletion procedures), up to date organisational polices and timely risk assessments
  • Annual preparation and submission of NHS Data Protection and Security toolkit required as Business Partner to NHS
  • Documented Privacy by Default and Design at Ieso
  • Transfers to third countries are restricted where possible but documented with appropriate safeguards in place where they exist
  • DPO works with internal teams to develop GDPR compliant SOPs; reviews contracts for data protection compliance; is actively involved from the onset in CAPAs, new product development, cookie compliance, and trust and transparency collateral; works closely with Caldicott Guardian and Senior Information Risk Officer on ethical decision making, new patient access requests, etc; and prepares other accountability ‘decision’ documentation (e.g. on anonymisation of research data sets)
  • Compliant with NHS national data opt-out service that allows patients to opt out of using their confidential information being used for research and planning.