GDPR-compliant client portal for a European healthcare provider

The Challenge

A European healthcare provider needed a client portal to replace a legacy paper and email-based document exchange process used for sensitive patient records and clinical reports. The portal required role-based access control, GDPR-compliant data handling, and encrypted document storage. Previous attempts using off-the-shelf portal solutions had failed on compliance grounds — data residency, retention controls, and audit logging requirements could not be met. The organisation needed a purpose-built solution with full compliance documentation.

Our Approach

BPro IT scoped the engagement with the client's data protection officer and clinical operations team before a line of code was written. GDPR compliance was architected in from the start: data residency in EU Azure regions, field-level encryption for sensitive data, automated retention and deletion workflows, and a comprehensive audit log of every document access event. The portal was built on Next.js with server-side rendering for performance and security, role-based access control enforced at the API layer, and end-to-end encrypted document uploads to Azure Blob Storage. A six-week delivery was agreed with weekly review checkpoints.

The Outcome

Portal delivered in six weeks with full GDPR compliance documentation, including data processing records, retention schedules, and privacy impact assessment. Document exchange moved entirely online on day one of go-live. Technical handover included full architecture documentation, API documentation, staff training materials, and a data protection operations guide for the client's DPO. Zero compliance issues raised in post-launch review.

• Delivered in 6 weeks to agreed scope and budget
• Full GDPR compliance documentation provided
• End-to-end encrypted document uploads live on day one
• Role-based access control enforced at API layer
• Full technical handover including DPO operations guide