WellSky works with 130+ NHS Trusts and Health Boards in the UK. The team has over 30 years of proven clinical pharmacy expertise; its industry leading clinically-led software platform ‘One:MedicinesPlatform’ supports customers with closed loop pharmacy management, electronic prescribing and chemotherapy management as a single integrated application.
The Challenge
WellSky is privy to significant volumes of sensitive personal data (medical records) in the course of their day to day operations. Under the GDPR, sensitive personal data such as patient medical records have more onerous requirements placed on their use and processing. With data protection being core to its business operations and vital to maintain trust of the NHS as its main customer, WellSky sought professional consulting advice from Gemserv.
Our Approach
Gemserv worked with WellSky to initially deliver a ‘Health Check’ of its GDPR compliance. Led by our experienced team of data protection consultants, we were able to bring in-depth knowledge to the fore in this project, quickly gaining an understanding of the expectations of WellSky’s key commercial customer (the NHS) as well as the data subjects whose personal data would be involved in WellSky’s processes. Our consultants’ first port of call was to de-mystify and encourage a risk-based approach which the business could buy-into and understand at multiple levels. This was an important factor in ensuring that all key stakeholders were engaged in the project from the outset.
Main areas of priority for WellSky were:
- In depth review and audit to confirm WellSky’s position within key contracts as data processor / data controller;
- Expert guidance to support WellSky’s product development; and
- Expert guidance in relation to policy production and more importantly, effective implementation.
To support WellSky in its GDPR programme of work, Gemserv put in place a temporary Virtual Data Protection Officer (vDPO) support service until such time as WellSky were able to identify and train a DPO of its own. This comprehensive service contract provided advice and support on a free-flowing basis during the build up to GDPR coming in to force and beyond. WellSky benefited from practical and legal advice on the following:
- Maintaining a risk-based approach to GDPR compliance;
- Practical implementation of policies and procedures;
- Training for staff with varied levels of data protection and compliance experience;
- Advice on new policies and procedures as required based on legislation or business changes;
- Expert advice on international data transfers and data protection matters in preparation for Brexit;
- Liaison with Data Protection Authorities;
- Privacy by design and privacy impact assessment advice; and
- Support in 3rd party supplier / data processor due diligence and on-going management.
This support was provided through a combination of on-site and telephone support and email helpdesk which enabled WellSky to submit a significant volume of requests, particularly during the early stages of its GDPR journey. Requests were dealt with promptly by the vDPO team of experienced data protection consultants dedicated to supporting WellSky.
The Outcome
Gemserv’s passion for the subject matter and responsive nature during the early stages of the project, and once GDPR had come into effect, has enabled WellSky to own issues and enabled the company to learn and implement its own solutions.
WellSky feel that the GDPR programme is progressing smoothly and the team is more comfortable with dealing with the regulation and the challenges that it can bring across the organisation. Within the first 6 months of our vDPO contract, WellSky has benefitted from significant knowledge transfer – its teams benefitting from increased confidence and experience with dealing with Data Protection issues. As a result, and mark of Gemserv’s value, WellSky are now in a position where it feels capable to manage its data protection capability in house.
Testimonial
“With the GDPR Regulation on the horizon at a time of a demanding business agenda WellSky elected to commission expert support and guidance to ensure compliance was achieved by the due date. After some consideration WellSky selected to engage Gemserv as its partner in the preparation and production of the necessary documentation to ensure WellSky was compliant with the Regulation and, more importantly, was able to evidence this status. With the short timeline the early activity was in the fast lane and at times it felt an impossible goal. Fortunately, Gemserv were confident that together the goal would be achieved. WellSky reached GDPR compliance in good time and to the satisfaction of all concerned. I feel inclined to end with the well-known phrase ‘when the going gets tough, the tough get going”.
Maureen Little RMN RGN RM RCNT
WellSky Clinical Safety and Compliance Manager
“Upon initial engagement with Gemserv we had 4 months to get to a state of GDPR compliance by the deadline of the 25th May 2018. The prompt service delivered by Gemserv during this short time meant that we were able to meet this date. We had two dedicated members of Gemserv assigned to our project who were both polite, accommodating and experts in this field. As a result, in the transfer of knowledge the team at WellSky is now in position where it is confident to manage outstanding data protection issues internally and would like to thank Gemserv for all the help and support received throughout this project”.