Understanding GDPR Data Controller in 5 easy steps


We’ve all heard of GDPR but in case you haven’t, it is a piece of legislation enacted by the European Union which strengthens and prevent the misuse of data of EU residents. If you have failed to adequately make your organisation GDPR ready you could be putting your organisation at severe risk of a €20,000,000 fine or 4% of annual global turnover (whichever is greater), as well as the irreparable brand damage a breach would cause.

GDPR in practice raises some really big questions such as Who is liable in the event of a breach? who is the GDPR data controller? who is the GDPR data processor?


1) What is GDPR?

Before we understand the role of a GDPR Data controller we must first understand what GDPR is and in simple terms, GDPR is the General Data Protection Regulation which came into effect on May 25th and forbids the misuse of EU citizens data whether your company is based in the EU or not.


2) Who is the GDPR Data Controller?

In simple terms, the GDPR data controller is the organisation that decides how and why customers personal data is processed. They control the data but do not necessarily hold or process it, however, they are responsible for how it’s used, stored and deleted.


3) What are the GDPR Data Controller’s responsibilities?

Under GDPR Data Controllers are obliged to;

  • Protect personal data against compromise or loss by implementing strict technical and organisational measures to secure data.
  • Have a legal agreement with your processors that ensure that they only act on your instructions and comply with GDPR.


4) Who is the GDPR Data Processor?

A data processor, on the other hand, is a company or person who processes personal data on behalf of the controller.

This could include something as simple as storing the data on a third party’s server but also includes for example payroll companies, accountants and market research businesses.


5) What are the GDPR Data Processor’s responsibilities?

Under GDPR, data processors have a lot more responsibilities including;

  • Appoint a Data Protection Officer, if their business processes sensitive data or  ‘big data’
  • Responsible for implementing significant security measures
  • Maintain a record of all data processing operations under their responsibility
  • Inform the data controller(s) immediately of any leaked data
  • Become a joint controller for any data processing they carry out beyond the scope of the controller’s instructions
GDPR Data controller vs Processor
GDPR data controller vs processor

In Summary

GDPR has changed the way we process and control data and understanding your role as either a data controller, a data processor or both which is not only essential to protect your users but also required by law.


Still not compliant? Use software to get GDPR compliant today! CLICK HERE

Running a startup is hard especially in a heavily regulated sector like MedTech and because of the nature of the industry and the types of data Medtech startups typically handle it’s even more important to do compliance the right way.

While you may be compliant with CQC and HIPAA what you may not be aware of is the risk to your companies data and below are a few things you can do today to help you resolve those issues.


medtech compliance


1) Use a password manager, and make your team too


Remembering passwords has always been a hassle and traditionally the only solutions were;

  1. Using the same password everywhere
  2. Forgetting your password
  3. Writing your password down in an insecure location

All of the above solutions are incredibly insecure and present a risk to your organization especially if the passwords are the key to sensitive data that you’re liable for.

A far more secure way of storing and sharing passwords is by using a password manager. We recommend 1Password as it’s simple to use, secure and has excellent team sharing capabilities.


2) Have GDPR compliant privacy policies


You’ll need to update your terms in order to inform your customers and anyone else who you store data on about how you are collecting, processing and sharing their data.


Click here to grab a privacy policy builder for free.


3) Update, update, update


As annoying as it may seem, device manufacturers often release security patches to keep you protected, it’s critical you apply these when they become available otherwise it can lead to irreversible damage.

The CryptoLocker ransomware that hit the NHS in 2017 would have been stopped dead in its tracks if they had patched their machines within the last 2 months.  


uk medtech


4) Use 2FA for all privileged accounts


Two Factor Authentication is an excellent additional measure to ensure your company protects its data.

Even with a compromised username and password an attacker is unable to access the account because you have to authorise access to your account using a code only accessible through your phone.


5) Enable Your Firewall


The last thing you want is a hacker getting access to sensitive data which is a risk by not having a firewall enabled on your network.

In simple terms, a firewall is designed to prevent unauthorised people accessing your private networks connected to the internet. All messages leaving or entering pass through the firewall, which examines each message and blocks those that do not meet the security criteria.

Your Medtech startup needs a firewall to protect your confidential information from those who are not authorised to access it and to protect against malicious users and accidents that originate outside your network.


6) Password enabled

Believe it or not, over 90% of cyber attacks and security breaches arise from human error. With that said not having a secure password enabled on all of your employee devices is not only inadvisable but ultimately reckless.

Imagine this scenario; an employee has a personal data on their laptop and the device does not have a password enabled and the employee loses the laptop. That’s a very scary scenario but easily rectifiable by ensuring that every company or personal device that is used for work has a password enabled.


7) Disk encryption enabled


Enabling disk encryption (filevault in Mac and Bitlocker in Windows) prevents someone with physical access to a machine from extracting all the data. In order to do this on an unencrypted disk, an attacked simply removes the drive from the machine and connects it to a disk reader to access all the contents in plain text.  They can download all documents, pictures, sensitive information as well as see whatever is stored in the browser. Scary stuff. Prevent it by simply enabling disk encryption.


8) Automatic Operating System Update


Another way to prevent malicious attacks is to enable automatic software updates for your operating system. Even if you have a Mac you need to ensure that you’re using the newest operating system as it is a myth that Mac’s cannot be susceptible to threats and malware.

Hackers and malicious cybercriminals use weaknesses in the software and apps to attack your devices and steal identities and sensitive data which is why it is extremely important to ensure that your organisation is using the latest Windows, Mac or Linux software.

But what if they disrupt my work and it takes time out of my schedule? Fortunately, on most operating systems they allow you to schedule when you would like the update to occur so it shouldn’t cause much disruption and in the event that it does at least your data will be safe!


9) Certification


One of the ways to ensure that you’re handling data the correct way is to get a Cyber Essentials certification. Why would you want it? Cyber Essentials is a government-backed certificate to help organisations protect themselves against online threats and is a great way to show suppliers and customers that you take security seriously and you’ve taken steps to secure their data.

Although it’s a great start, Cyber Essentials is really the most basic level of compliance your MedTech startup should be aiming to achieve and if you desire a higher level of compliance then you should be aiming to get the Information Assurance for Small and Medium Enterprises (IASME) certification. This is based on the ISO 27001 (the industry standard for the management of information security) but tailored for small businesses.




When you do all of the steps above your MedTech startup becomes a few steps closer to becoming compliant however  If you are serious about ensuring that your business data is being protected and you want to improve your business reputation schedule a demo to learn more about Cyber Essentials.


Your Company


CyberSmart and Livesmart case study

Why is data protection important to LiveSmart?

LiveSmart aims to create a better world through health analysis and behaviour change. With great power comes great responsibility and we put our clients at the centre of everything we do – including protecting them and their data. We collect both personally identifiable data and sensitive data which means our security needs to be well thought out and very tight to protect our users.


Your Experience

What did you do about compliance before?

For the first two years, compliance was pretty relaxed. The main reason we began addressing our compliance was due to a significant client who required certain things to be in place. Additionally, with GDPR coming into play in May this year it highlighted the importance of data security and compliance. It was very much a hard and fast lesson – building the parachute while you are falling off the cliff so to speak – but it was a lesson well learnt and now that we have everything coming into place the team have a good structure to work within.


Why did you choose to use CyberSmart?

We were referred to CyberSmart by a fellow startup and after our CTO spoke with them, we felt like it would be a simple way to implement the compliance we needed to. Plus – CyberSmart… LiveSmart, seemed meant to be?!


Did it deliver on what you were hoping for?

CyberSmart has been better than we hoped. The team are incredibly friendly and helpful, they simplify some very complex issues into manageable components and make compliance much less scary than it is, while not removing the importance behind it.


Your Advice

What one tip would you give to other MedTech startups in terms of compliance?


You need to feel very certain about what is going on with your data very quickly.
Get crystal clear on what processes exist, where the data flows and who you use to process your data. Without this knowledge, you are at risk of data breaches, data loss and coming under scrutiny from your all-important customers.

Speaking at the lecture for the Institute of Chartered Accountants in England and Wales in London earlier this year, Elizabeth Denham of the ICO, discussed the role of accountability in GDPR and how people must adjust their mindsets in regard to how we think about data protection as well as what GDPR may actually look like in reality.

Read More

Step 1 to CE: Boundary Firewalls and internet gateways

A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.

Read More

The ICO (Information Commissioner’s Office) has produced a checklist, highlighting the main steps organisations can take immediately to prepare for the GDPR, which will apply from 25th May 2018.

It is important to use this checklist and other ICO resources to identify the main differences between the current Data Protection Act (DPA) and the GDPR.

Below are three steps taken from the list which are worth knowing about! Read More