GDPR Frequently Asked Questions

As of May 25th, organisations that collect, process or store EU personal data will need to be aligned with the requirements of the General Data Protection Regulation (GDPR).

iRhythm takes data privacy and security seriously. We have been enhancing our already robust compliance program to further align with the unique elements of the GDPR. This includes retaining external experts in security and data privacy in the UK and US. We are ensuring compliance and transparency with our customers and patients.

Below we have answered some common questions regarding the GDPR. If you require additional information, please contact us at


Does the GDPR allow EU personal data to be transferred outside of the EU?

Yes. The GDPR permits transferring of personal data across borders with appropriate security and transfer mechanisms in place.

As with many multinational companies, data will be shared amongst various geographically-based processing centers to provide clinical service and support. We apply EC-approved mechanisms to protect the transferred data.

Does the GDPR require EU personal data to be encrypted at rest?

No. However, iRhythm encrypts all data in transit and at rest.

The GDPR requires organisations to implement technical and organisational security measures to protect personal data which are appropriate to the risks presented to the organization. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. iRhythm’s encryption policy meets or exceeds all generally accepted commercial and government standards.

Can an organisation become GDPR certified?

No. In the future, certification schemes will need to be developed and approved.

The GDPR provides for a new concept of schemes to formally certify compliance under the GDPR. However, there is not currently a GDPR certification program. iRhythm will continue to monitor any certification options that may be offered in the future and will evaluate the appropriateness of obtaining those certifications. In the meantime, iRhythm has and will continue to evaluate its compliance program through various ongoing efforts including independent third-party audits, security assessments and monitoring of privacy and security safeguards.

Does the processing of EU personal data always require the consent of the data subject?

No. Consent is only one of the legal grounds under the GDPR for the processing of personal data.

As a general rule, every use of personal data requires a lawful basis under the GDPR. These include for non-sensitive personal data, legitimate interest, contractual necessity, compliance with a legal obligation and consent, among others. There are also separate grounds relevant to processing sensitive personal data including explicit consent, medical diagnosis or healthcare and other public interest grounds under local laws. iRhythm has determined the appropriateness of each lawful basis including the level of consent required and how we communicate information about lawful processing to patients and other data subjects.

Do EU data subjects have an absolute right to have their personal data deleted upon request?

No. In most cases, when considering a request for deletion, several factors must be taken into account.

The right to be forgotten is not an absolute right under the GDPR. This right will not apply, for example, if the processing is necessary for compliance with a legal obligation. iRhythm has expanded its existing data subject rights program to account for new provisions and rights under the GDPR that will allow us to respond to data subject rights requests, including those for erasure.

What if my data is improperly disclosed or used?

We have enhanced our existing incident and breach management program to monitor, detect and respond to potential data breaches associated with EU data subjects.

We have robust security and organizational controls to minimize the risk of improper disclosure and use. In the event of a data breach, iRhythm would implement its breach response processes and would make all required notifications including reporting to the relevant Supervisory Authority and the data subjects within the required timeframes, where the “data breach is likely to result in a high risk to the rights and freedoms of natural persons.”