Privacy Policy

The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018 bringing with it wide ranging changes and new responsibilities for organisations that process personal data. These changes will affect all organisations which hold or process personal data, including the Wellbeing Software (hereafter referred to as Wellbeing).

This document outlines the anticipated impact on Wellbeing and our approach to ensuring our compliance with the new legislation.

Are we a data controller or a data processor?

A ‘data controller’ is an entity that controls how and why personal data is processed and a ‘data processor’ uses, handles or works with the data under the instruction of the controller. Therefore, Wellbeing is a data processor for the purpose of existing data privacy legislation and GDPR. Wellbeing is also a data controller in that we store and manage data about our customers, suppliers and staff.

How does the GDPR affect us?

The GDPR affects Wellbeing in its capacity as a data controller for the information we store and manage about our customers, suppliers and staff. However, our core business is providing software solutions, technical support, and in some cases hosting, to our customers. In this respect we process data under the instruction of a data controller and therefore we are a data processor.

Consequently, we must take heed and be compliant with the requirements for both data controllers and processors.

How are we becoming compliant?

Wellbeing has always taken its responsibility for information security and data protection seriously owing to our position as a market leader in the development and maintenance of innovative information systems to the UK healthcare sector. Consequently, we have always operated high standards of information security and data protection and we are committed to maintaining those high standards.

Wellbeing has two main areas of focus in preparing for GDPR:

Ensuring our own compliance.
Assisting the users of our healthcare software applications with their compliance.

Our compliance

Prior to the GDPR, Wellbeing implemented company-wide information security and data protection controls through its ISO 27001-certified Information Security management System (ISMS).

Wellbeing has undertaken an external, independent gap analysis of our existing controls against the GDPR’s requirements to understand where they need to be augmented or where additional controls need to be introduced.

Wellbeing has used the output from this gap analysis to inform and establish a GDPR compliance programme which includes the following key activities:

A review of all data processing activities including confirmation of our lawful bases and purposes for processing data, where data resides, how data is secured and who can access or change data.
Refreshing our staff Data Privacy Awareness Training

Updates to our internal security processes to meet GDPR requirements including processes associated with data subject rights, personal data breach response, privacy by design and third-party compliance
Updates to internal policies, procedures and privacy notices.
A review of the contractual terms between Wellbeing and our customers and suppliersWellbeing has also appointed a Data Protection Officer (DPO) with responsibility for advising and monitoring our compliance with all applicable data protection laws.

Our customer’s compliance

Wellbeing is acutely aware that customers trust us and our software solutions to protect their sensitive data. We therefore commit to ensuring that the security of our customer’s data continues to be at the forefront of everything we do and demonstrating this commitment by continuing to submit our ISMS for external validation against ISO 27001 and other industry standards.

Similarly, customers will need to be confident that Wellbeing can assist them in meeting their GDPR obligations. As such, we are committed to applying the principles of privacy by design and default to our products. This includes providing features within our software that customers can leverage for their own compliance, particularly in relation to data subject rights and data protection impact assessments (DPIAs). We will inform our customers when new features become available.

Wellbeing understands the importance of informing our customers of any incidents or breaches that affect their data. Wellbeing is confident that our technical and organisational measures significantly reduce the risk of data breaches however, in the unfortunate event that a breach does occur, we are prepared to provide timely notification to customers and also to assist with any ensuing investigation.

Will our contracts change?

GDPR contains a legal requirement obliging organisations to update existing contracts that deal with data protection to a more detailed standard.

To comply with this requirement Wellbeing is amending our standard terms which sets out each party’s obligations in relation to data protection. In incorporating these updates, the document sets out in more detail, each party’s responsibilities in relation to how and for what reason either party is collecting, using or handling personal data.

Further questions

If you have any further questions, please contact us by email at [email protected].

Cookie	Duration	Description
_abck	1 year	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
ak_bmsc	2 hours	This cookie is used by Akamai to optimize site security by distinguishing between humans and bots
bm_sz	4 hours	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_mcid	1 year	This is a Mailchimp functionality cookie used to evaluate the UI/UX interaction with its platform
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_CAN_BId	never	This cookie is set by the provider Canddi. This cookie is used for user identification. The cookie stores a unique(32-character) reference which identifies the visitor each time when they return to the website.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-121639606-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_CAN_SId	2 hours	No description available.
_ccu	never	No description available.
_ccw	never	No description available.
_mc_anon_id	past	No description
AnalyticsSyncHistory	1 month	No description
CAN_SId	never	No description available.
helpful_user	1 month	No description available.
li_gc	5 months 27 days	No description

Privacy Policy

Subscribe to our newsletter