GDPR

The General Data Protection Regulation (GDPR) is a European Union data protection law that requires businesses to protect the personal data and privacy of EU citizens. If your business processes the personal data of EU residents, whether you are based in the EU or elsewhere, GDPR applies to you.

Non-compliance with GDPR can result in severe penalties imposed by the member states and the European Parliament. Fines, which can be imposed by supervisory authorities, can reach up to €20 million or 4% of a business's annual global turnover, whichever is higher. In addition to financial penalties, businesses may face legal action and reputational damage.

A Data Protection Officer (DPO) is a role mandated by GDPR for certain organisations that process large volumes of personal data, particularly sensitive data. The DPO oversees GDPR compliance, assesses data processing practices, and serves as a point of contact for data protection authorities. If your business meets these criteria, appointing a DPO is required. Assuric offers outsourced DPO services to help businesses fulfil this requirement cost-effectively.

Under GDPR, a data breach must be reported to the relevant supervisory authority within 72 hours if it’s likely to result in a risk to individuals’ fundamental rights and freedoms. Assuric provides data breach response and management services, helping you respond effectively, assess impact, notify affected individuals (if required), and take corrective actions to prevent future breaches.

Completing a DPIA is best practice if your technology collects or processes any personal data. According to GDPR, a DPIA is officially required “whenever processing is likely to result in a high risk to the rights and freedoms of individuals”, and is often required during procurement regardless.

Under the General Data Protection Regulation (GDPR), healthtech companies handling special category data - such as patient health information - must comply with stringent data protection standards due to the sensitive nature of this data. Special category data requires additional security measures, including explicit user consent, strict access controls, and transparent data processing practices to ensure accountability and protect individuals’ privacy rights.

In the UK, healthtech companies are also required to complete the Data Security and Protection Toolkit (DSPT), a self-assessment tool that verifies compliance with data protection standards in health and social care. DSPT ensures that companies align with GDPR as well as the UK’s Data Protection Act 2018, addressing requirements for clinical safety, technical security, and patient data confidentiality. Completing the DSPT is essential for healthtech companies seeking to work with NHS organisations, as it demonstrates a commitment to GDPR compliance and secure data handling.

It is important to be clear that being a data processor or controller is activity based, not company based. For example, every company will be a controller for employee information.

Controllers are the main decision-makers – they have overall control over the purposes and means of the processing of personal information and data. If two or more controllers jointly determine the purposes and means of the processing of the same personal information, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Processors act on behalf of, and only on the instructions of, the relevant controller.

Our experts can help advise you on this.

Yes. GDPR applies to any organisation that processes personal data of EU residents or any of its member states, regardless of where the data is stored. This means that even if your business is based outside the EU but targets or handles data from EU citizens, you are required to comply with GDPR standards.

Yes, GDPR still applies in the UK post-Brexit, but as a UK-specific version known as the UK GDPR. It mirrors the EU GDPR's principles, rights, and obligations, but is governed by UK law under the Data Protection Act 2018 and the UK GDPR regulations.

The UK GDPR is essentially a "retained" version of the EU GDPR but tailored for UK legislation. While the core principles and requirements are the same, UK GDPR applies only within the UK, and the Information Commissioner’s Office (ICO) is the primary regulator instead of the European Data Protection Board (EDPB). Some procedural differences, such as international data transfer rules, may also apply.