GDPR COMPLIANCE STATEMENT
MR GEORGE ERALIL AND GDPR COMPLIANCE

DATA INVENTORY
Consultants, as data controllers, are required to maintain an up to date, written data inventory.

WHAT THE DATA INVENTORY COVERS:
1. The types of data I store
a. Identifiable clinic letters and medical records relating to adults I have consulted with in relation to neurological clinical care and prior medical history.
b. Identifiable clinical and medico-legal documentation relating to Civil and Criminal medico-legal expert reports I have provided.

2. Why I store it
a. This information is stored for me to provide ongoing clinical care to the patients I consult with and to complete medico-legal reports to assist the Court in civil and criminal cases in which I have been instructed to act as an expert witness.

3. Where and how the data types are stored e.g. on paper, electronically, email, clouds or other systems
a. The information is usually initially documented on paper then scanned and uploaded to a password protected cloud-based server for which Mr. Eralil has sole access.
b. Once uploaded the paper records are either confidentially disposed of at the medical facility (their responsibility) or for medico-legal case files, stored securely in a locked area to which only Mr. Eralil has access.
c. Mr. Eralil may email data to his practice management company (Cliniko) as a password protected document using an email client with end-to-end encryption. They have their own GDPR policy for data protection and are separately registered with the ICO.
d. Emails from your personal email to www.neurosurge.co.uk may not be encrypted by your provider.

4. How the data and storage devices are secured.
a. Mr. Eralil uses a handheld device which is touch ID/numerical pin protected to scan clinical documents in clinic.
b. The .pdf/.png/.jpeg files are uploaded to a GDPR compliant password protected cloud-based server which is confirmed as GDPR compliant (Cliniko).
c. The files are accessed by Mr. Eralil either via the web-portal provided by his practice management company (Cliniko) or by logging on securely to the cloud-based server via a personal device (handheld, tablet, laptop).

RECORD OF PROCESSING
Consultants, as data controllers, are required to maintain an up-to-date record of data processing:

1. How and why data is collected and processed (include third parties who receive patient data to process on your behalf).
a. The data is collected in written format and documented in paper or electronic format by Mr. Eralil and may be sent on to Mr. Eralil’s practice management staff using a secure email account. Other third parties may include: a separately employed medical secretary, Private or NHS medical professionals (GPs and other clinicians), Solicitors (in medicolegal cases), transcription services and billing companies (via Cliniko, Mr. Eralil’s practice management company).