The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data. At SARD, we have been working hard to ensure that our clients, as data controllers, can have total faith in us to fulfil our obligations as processors.
Here are some of the things we’ve been doing to ensure we’re setting ourselves and our customers up to meet GDPR obligations:
Creating our GDPR roadmap
We carry out data reviews on a rolling basis as part of our existing risk assessments, but we have been paying particular attention to ensuring that all data that we hold as controllers, or process on behalf of our customers, is accounted for.
Reviewing our privacy policies
We are working on new privacy policies for visitors to our website and our mailing list clients.
Refining and reissuing our Data Processing Agreements
Strong data protection commitments between controllers and processors are a key part of the GDPR requirements. As processors, we will always only process data under the instruction of the data controllers who entrust it to us - the trusts and organisations that contract our services on behalf of their data subjects. In addition to honouring client-side contracts (eg NHS procurement requirements), we are currently finalising a separate Data Processing Agreement which we will be sending out to all our customers as an addendum to our current SLA.
Ensuring our agreements with our own suppliers are compliant
As data processors, it is important that we ensure compliance right down through the chain, so we are reviewing all our vendors, finding out about their GDPR plans and arranging GDPR-ready data processing agreements with them.
Maintaining appropriate technical security measures
Our ISO27001 certification is fully externally audited, providing a robust security framework that underpins everything we develop.
All our staff are undergoing GDPR Awareness Training and key staff members are taking it a step further. Our Operations Manager, Naomi, is now GASQ registered under the International Board for IT Governance Qualifications (IBITGQ) as a holder of the Certified EU General Data Protection Regulation Foundation qualification.
GDPR is, at heart, a commitment between controller and processor to ensure the safety, security and integrity of the data in their care. With the 25th May on the horizon, we are happy to answer any questions you may have on how we help our customers ensure that the data they entrust to us is safe and accounted for at all stages of processing.