GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) applies from 25 May 2018, when it supersedes the UK Data Protection Act 1998. It aims to give people more control over how their personal data is used and provides businesses with a clearer legal environment in which to operate.
RiskSTOP Group is committed to robust procedures around data protection and our controls comply with the international standard for Information Security Management Systems ISO 27001:2013.
When it comes to GDPR, it is worth noting that there are some organisation trading online who claim to have achieved compliance with things like ‘certified EU General Data’ along with wild claims that they are formally accredited. However, there is no such thing as GDPR certification as yet, so rather than mislead you our approach is to tell you what we have done to ensure that your data and that of your clients remains safe.
Here are the steps we have taken to ensure our GDPR compliance:
WHAT HAVE WE DONE
Step 1 - How prepared were we for GDPR?
We initially raised awareness internally and then formed a group-wide GDPR assessment looking at all subsidiaries. This was supported by a number of seminars attended by our team (HR, IT and Operations).
Step 2 - Where is our personal/sensitive data?
To initiate the process we identified where all the data is stored and the access points, what format it is stored in and how the data flows through the processes.
Step 3 – How do we manage the data points?
We have reviewed our process in respect of how clients ‘opt in’ or ‘opt out’ (unsubscribe) and we have ensured that this process includes for example mailing campaigns so that clients can be assured that no information is passed to a third party without their prior knowledge or agreement and if they wish to unsubscribe at any point a process is in place to remove and delete contact information.
Step 4 - How do we protect the data?
We reviewed all of our processes in respect of the storage and back up to ensure compliance and where possible data is encrypted for additional security. Where information is collected regarding payments for services (credit/debit cards) we have worked with our banking partners to ensure this information is stored securely only on their own systems.
Step 5 - How do we dispose of the data?
We sought legal advice to develop a data retention policy to ensure that we only retain data for its useful life and all other information is disposed of securely.
Step 6 - Could we respond to breaches within GDPR timeframes?
We reviewed our processes and policies and have ensured that in the unlikely event of breaches that we could respond in line with GDPR requirements and in line with our clients’ needs.
Step 7 - What are our legal implications?
We reviewed our legal policies and ensured that these were updated on the basis of the GDPR legislation. For any new contracts we have agreed appropriate wording to be included in all agreements moving forward. If clients request amendments to their existing agreements, we have additional schedules particularly focused on data protection and GDPR.
OUR PRINCIPLES OF DATA SECURITY
All RiskSTOP Group companies recognise the importance of the security of our assets, confidentiality of information and the need to be protected from threats from unauthorised use, disclosure or destruction.
As a result, we maintain appropriate controls across our business to ensure we are suitably protected and can mitigate damage should a security incident occur. This includes registration and compliance in accordance with the Data Protection Act 1998.
If you require any more information of how we comply to GDPR, please contact our Managing Director at firstname.lastname@example.org