How we are preparing for GDPR

Apr 25, 2018
Naomi Liddle

Tags: GDPRdata privacyinformation security

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data. At SARD, we have been working hard to ensure that our clients, as data controllers, can have total faith in us to fulfil our obligations as processors.

Here are some of the things we’ve been doing to ensure we’re setting ourselves and our customers up to meet GDPR obligations:

Creating our GDPR roadmap

We carry out data reviews on a rolling basis as part of our existing risk assessments, but we have been paying particular attention to ensuring that all data that we hold as controllers, or process on behalf of our customers, is accounted for.

Reviewing our privacy policies

We are working on new privacy policies for visitors to our website and our mailing list clients.

Refining and reissuing our Data Processing Agreements

Strong data protection commitments between controllers and processors are a key part of the GDPR requirements. As processors, we will always only process data under the instruction of the data controllers who entrust it to us - the trusts and organisations that contract our services on behalf of their data subjects. In addition to honouring client-side contracts (eg NHS procurement requirements), we are currently finalising a separate Data Processing Agreement which we will be sending out to all our customers as an addendum to our current SLA.

Ensuring our agreements with our own suppliers are compliant

As data processors, it is important that we ensure compliance right down through the chain, so we are reviewing all our vendors, finding out about their GDPR plans and arranging GDPR-ready data processing agreements with them.

Maintaining appropriate technical security measures

Our ISO27001 certification is fully externally audited, providing a robust security framework that underpins everything we develop.


All our staff are undergoing GDPR Awareness Training and key staff members are taking it a step further. Our Operations Manager, Naomi, is now GASQ registered under the International Board for IT Governance Qualifications (IBITGQ) as a holder of the Certified EU General Data Protection Regulation Foundation qualification.

Any questions?

GDPR is, at heart, a commitment between controller and processor to ensure the safety, security and integrity of the data in their care. With the 25th May on the horizon, we are happy to answer any questions you may have on how we help our customers ensure that the data they entrust to us is safe and accounted for at all stages of processing.

Find this interesting?

You should sign up to our newsletter because it will keep you up to date with Medical HR, technology and what SARD JV are up to. We promise not to send you a load of sales bumf. Newsletters have a typical email open rate of around 15-20%. We aim to keep our open rate above 60%. That means we'll only add you to the list if you really want to be added and work hard to send you interesting stuff.

Subscribe to our mailing list