On the 25th May 2018 the new EU General Data Protection Regulation (GDPR) (EU 2016/679) comes into force and brings about the requirement to demonstrate compliance and enforce a more stringent approach to the enforcement of data protection and privacy rules. Residents of the European Union (EU) including those of the United Kingdom, regardless of the current 'Brexit' negotiations will have more rights regarding how their personal data is stored, used and processed, irrespective of where in the world this occurs.
Information we hold:
Here at Ontinuity, we are already committed to high standards of Information security as both a 'Data Controller' and 'Data Processor', and we follow industry recognised standards such as ISO27001 and PCI-DSS. In addition to these we have a programme in place to deliver our obligations under the new regulation buy working with both our clients and suppliers alike. As we approach the 25th May 2018 we are addressing our obligations by identifying and addressing changes we are required to make, around the following areas:
Awareness: Ontinuity have already started an internal process of making sure decision makers and key people within the company are aware of the new obligations the company has to meet and is amending its staff policy documentation 'Staff Handbook' to such effect. Where relevant, training will be provided to key staff members.
As both a 'Data Controller' and 'Data Processor', we are required to identify and audit both the information we obtain or store on individuals in our capacity as a 'Data Controller', as well as data entrusted to us by our clients as a 'Data Processor'. This includes us reviewing where data comes from, how it is stored and processed and if it is shared with any third parties.
Communicating Privacy information:
As well as ensuing we communicate our policies around privacy information, it's important we introduce and maintain processes that put the rights of our client’s individual rights first.
Subject Access Requests:
A new process will be introduced that allows clients to submit a request and understand how we plan to handle requests for access to information we hold on them within the one month timeframe.
Lawful basis for Processing:
Although Ontinuity already only ask for and collect information on individuals that are essential in the provision of our services to, we are reviewing all areas if the business to see if there are any data collection methods which could be deemed superfluous or unnecessary.
Currently in the majority of cases, consent is largely implied by the fact a request of our services is made. We are currently changing processes that ask for an individual’s data, so that it expressly requests a user’s consent and provides links to privacy documentation on how this data might be used and why.
Ontinuity are already registered with the ICO and adhere to the obligations under the existing Data Protection Act (DPA). A new separate policy will be put in place that directly address the requirement and obligations around the reporting of data breaches, and make the reporting of suspected data breaches easier.
Data Protection by Design:
As an existing recommendation of the Data Protection Act, Ontinuity already place significant emphasis on data protection at every step of any new project or provision of service. Under GDPR this is now an express requirement and some amendments to existing processes to reflect this have been made.
Data Protection Officers:
Although Ontinuity are under the size required under GDPR to formally designate a Data Protection Officer, we have designated a member of management staff responsible to managing and accessing the company’s obligations under GDPR and reports directly to the management board.
Ontinuity do provide and share data with a number of organisation within other EU member states and internationally in order to provide its services. As the vast majority (>95%) of our processing and data controllers are based in the United Kingdom, the UK Information Commissioners office (ICO) will be the lead data protection supervisory authority for which Ontinuity will report.
In the coming months Ontinuity will be continuing to monitor and develop it's processes along with providing staff training. Also, where required, amedments to existing contracts will be put in place with us as the 'Data Processor' on behalf of our clients, and between us as a 'Data Collector' and our suppliers. As with any other 3rd parties/sub-contractors or where we have data export arrangements.
For more information on our objectives or to seek advice on our direct relationship and how it might be affected, please contact us