One of the largest rehabilitation centers of the Netherlands execute services in 15 locations and provide highly quality care to all patients involved. To do so in a fast-paced environment, the board of directors decided to prioritize and focus more on privacy and information security compliance. Since these fields of expertise are regarded as a contributing factor to reaching the internal quality goals and KPI’s. The Board of Directors took ownership and is facilitating the organization to reach the ambitious goals set.
The organization was aware of their own shortcomings on these two subjects. They realized the risks involved and felt a sense of urgency to act professionally and efficiently. Due to lack of internal expertise on the matters of privacy, information security and information management external help had already been engaged. However, direct and accurate insight into governing the risks and compliance challenges had not yet been established.
The rehabilitation center has chosen Audittrail to set up and manage compliance for both privacy and security compliance on their behalf.
We started our project with a baseline status assessment. This meant that we assessed all available documentation, conducted interviews and gained insight in the factual status of compliance. The key take-aways from this phase enabled us to do solid research on the current level of compliance, using the NEN7510 (hyperlink in dutch) as a guideline.
Based on the outcome we formulated a practical continuous improvement-plan. This plan was divided up into several focus areas and phases based on the value of the risk-assessment. This way we were able to set priorities and deliver results within the desired timeframe.
Together with the board and internal project team we set out to execute the plan. We supplied a project manager and the necessary expertise. Beside improving information security we also immediately started working on GDPR compliance. Throughout this process much attention went to building awareness and testing the staff on their level of knowledge.
When we started this project the predecessor of the GDPR, the Dutch WBP was still in effect. We helped the organization prepare for the switch from WBP to GDPR well in time before May 25, 2018. An example to enable this switch was the creation of a privacy office, where we delivered a privacy expert to support and train the internal privacy office.