The EU General Data Protection Regulation (GDPR) was implemented from 25th May 2018 and replaced parts of the Data Protection Act 1998. The privacy legislation has brought a uniform data protection law across Europe and strengthen the rights that EU citizens have over the processing of their personal data.

At UKIM, we have always been committed to protecting the integrity of the data we process and are certified to the highest possible standard of information security. We embrace ISO27001 controls right across our business and everything we do focuses on forming a protective seal around the hundreds of pieces of personal sensitive data that we process each day. Information security - it’s a way of life here.


A CULTURE OF COMPLIANCE – our established policy framework forms a fundamental part of UKIM’s information security management system (ISMS) and sets out the principles we apply to protect information. The suite of policies that are embedded as part of our organisational culture have been reviewed and adapted to ensure GDPR compliance.

AUDITING THE INFORMATION WE HOLD – information audits and process registers already form part of our ISMS. We systematically log all data processing activities and define the nature and lifecycle of the data.

PRIVACY INFORMATION - we understand the importance of trust and transparency and that individuals have the right to be informed about the collection and use of their data. Our privacy information is available to view at all times on our website (UKIM Privacy Policy) and a link to this is also included on all patient correspondence.

AUTHORITY TO PROCESS – we recognise the importance of giving individuals choice and control and have always sought authority to process personal data. We will continue to ensure that our controls are GDPR compliant.

DATA PROTECTION BY DESIGN – our established change management function guides any business alteration and ensures that we manage our obligations under GDPR throughout the entire lifecycle of any modifications.

SUPPLIER MANAGEMENT - our supplier management program ensures that all suppliers are assessed, approved and that the relevant contractual provisions are correctly applied. We have re-contracted with our entire supplier network to ensure that our Data Protection Act clauses reflect the requirements of GDPR.

NEAR MISSES - at UKIM our Incident Management Framework is entrenched into our processes – anything that compromises information security is logged – this includes any actual incidents, suspected events, weaknesses and third party events. A culture of collective responsibility, along with our robust approach for near miss detection, investigation and reporting ensures continual improvement in our data security processes.

SUBJECT ACCESS REQUESTS - we have an established protocol for responding to requests from our data subjects and these are managed within our case management system.

INDIVIDUALS’ RIGHTS – we understand our obligations to data subjects in regards to their rights to: be informed, access, rectification, erasure, restrict processing, data portability and to object.

Further information regarding GDPR can be found here.