Our preparation for GDPR
Our project team continues to work proactively to ensure readiness for GDPR implementation in May 2018.
This project is controlled by way of a formal Project Team, which reports in detail on a monthly basis to our Senior Management Team.
We have initiated a comprehensive four stage program of preparation activities that will help us with GDPR compliance and the appropriate protection of client and staff data.
We have held internal awareness sessions for senior management, stakeholders and staff.
We are in the process of carrying out an Impact Assessment so as to understand and document all personal data processing activities.
Where processes can be improved we are documenting our proposed change activities.
We are ensuring that all appropriate technology, process and policy is in place both to meet the May requirements and to act as our future Information Governance foundation platform.
As a Data Controller we intend to use the existence of a contract with our customers and service providers (which detail the processing activities) as the basis for the data processing we undertake. It is therefore essential that we have a contract in place with all customers and third party processors; and updated data protection clauses incorporated as specified by Article 28 of the GDPR. Where this is applicable we will be in contact with service providers over the next few months.
GDPR provides the following rights for individuals:
- Article 15 – Right of access by the data subject
- Article 16 – Right to rectification
- Article 17 – Right to erasure (right to be forgotten)
- Article 18 – Right to restriction of processing
- Article 19 – Right of recipient notification
- Article 20 – Right to data portability
- Article 21 – Right to object
The content of our Privacy Notices is under review and will be updated appropriately informing clients of their rights and how we intend to process their data. This will include information as to how to submit an Access Requests (SAR) and who to contact.
We already have a process for breach reporting that tracks the lifecycle of a data breach from the initial report through to Risk and Compliance team review. This process is being reviewed and tested so as to ensure is robust enough for GDPR requirements.
Data Protection Officer
We will be appointing a Data Protection Officer that reports directly to our Executive.
We have undertaken a wide scale review of the systems and processes that we use for customers and staff data processing. We are in the process of documenting these systems, enabling our Data Protection Officer to ensure that all appropriate technical and organisational measures are in place.
Data Protection by Design
This is a general obligation to implement technical and organisational measures to demonstrate that data protection has been considered and integrated into our data processing activities; this also includes the good practice of undergoing a Data Protection Impact Assessments (DPIA). We are also implementing a new DPIA requirement for all future IT projects and process changes.
Further Information on our GDPR preparations
For further information please contact:
Business Development Director