Cello Health’s GDPR Compliance Statement

The new European General Data Protection Regulation (GDPR) law will come into effect on 25 May 2018. The aim of this law is to ensure all personal data relating to living EU citizens (including the UK) is protected and the companies who work with such data are held accountable for its protection.

We at Cello Health have always been committed to data privacy and protection and have always been regulated by governing bodies, so are comfortable and confident working in such partnerships. However, to ensure we are operating at the highest standards we have taken several additional steps for GDPR compliance. As a business with data collection at our core, safeguarding personal data is of the utmost importance to us.

As a first priority, we are focusing on staffing and resourcing at a board level. We have appointed a Data Protection Officer, who will sit across all Cello Health capabilities and will report to the Cello Health Board, ensuring that data privacy is embedded at the highest level.

At Cello Health we work with healthcare professionals, patients of all ages (including children), key opinion leaders, and clients. We have much experience obtaining appropriate consents and we respect their right to know how we collect and process their data.

Our main areas of focus and actions we have taken in preparation for GDPR are:

Personal data review

  • Reviewed all existing data policies and procedures to make sure they adhere to new legislation and uphold the highest standards of privacy and protection of personal rights
  • Audited all personal data that we hold and created information asset registers
  • Identified the lawful basis for all of our personal data processing


  • Rewriting our privacy policies to align with GDPR guidelines
  • Reviewed all our procedures to align with the individual’s rights as specified under GDPR
  • Updating our subject access request procedure to manage requests for data

Processes and third parties

  • Reviewed our existing processes that cover data breach reporting and made necessary adjustments to accommodate GDPR rules
  • Implemented the necessary Data Protection Impact Assessments for projects that may involve high risk processing as covered under GDPR
  • Implemented new standard contractual clauses with both clients and partners around the international transfer of personal data

Finally, to ensure sustainability, our capabilities are including privacy considerations in all services and processes and all members of staff are being trained thoroughly on the new legislation to complement their existing training on data protection. Our history of data protection and managing informed consent puts us in a strong position for the new legal requirements and any specific client requirements that may arise.

We are confident that our knowledge and preparation should ensure there is no disruption to our day to day delivery of work.

If you have any questions or concerns as it relates to our GDPR preparations please do get in contact with our team.