The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force on 25 May 2018, superseding the Data Protection Act 1998. GDPR will continue to apply despite Brexit, and impacts all organisations that control or process personal data. It grants data subjects a range of new rights, giving them more control over how their data is used. Organisations are subject to new responsibilities and obligations, including the need to demonstrate compliance.
What are we doing to ensure compliance?
At Alcumus, we are committed to protecting and respecting the privacy of individuals, and take our obligations under data protection legislation seriously. We already manage personal data in accordance with the industry standards for ISO 27001, PCI DSS, and in some locations, in accordance with the Cyber Essentials Certification. We understand and welcome the high standards that GDPR will promote and encourage across all organisations that process personal data on behalf of third parties.
In order to ensure that we were ready for GDPR, we put in place a multidisciplinary project team which, informed by an external GDPR gap analysis assessment and specialist external advice, dealt with the following key priorities:
- Modifying and fine tuning our management systems, processes and policies (including ISO 9001 and ISO 27001) to enable us to be GDPR-compliant. To this end, we conducted a full review of our internal and external policies and updated them to ensure that they are GDPR compliant.
- Ensuring that our employees and consultants are fully aware of the new obligations that GDPR introduced, and ensuring that there is accountability and shared responsibility for ensuring compliance, from Board level down and across the Group. We rolled out compulsory GDPR eLearning training across the Alcumus Group to all of our employees and consultants. In-depth face to face training has also been provided, tailored specifically to job role.
- Providing a range of products and services to our customers to assist them in their own GDPR-compliance, including specific support to those who use our technological solutions (such as our specially configured data-capture software), to ensure that such solutions are compliant.
Our five business units process personal data on behalf of our 42,000 customers, from large global brands through to SME businesses. We understand the importance of good data practices to our customers, and are on hand to support our customers through their GDPR-readiness journeys. Some of the specific initiatives that we have rolled out include:
- Data Review – We have conducted an extensive review of all personal data we hold, and have prepared a detailed data roadmap which outlines where this data is held, why we hold it and for how long.
- Contractual Updates – We have conducted a full-scale analysis of third parties who process data on our behalf, and have updated contractual positions to ensure that we (and our customers) are protected. In addition to this, we have updated our current business terms and conditions to give our customers the assurances required under GDPR.
- Process Updates – We have updated our existing procedures to ensure we have the tools to maintain compliance with GDPR. This included the appointment of a new voluntary Data Protection Officer, and a review and update of our existing policies such as our data security and incident response plans.
- Improved Subject Access – We have updated our existing subject access request processes to ensure that it is easier and quicker for data subjects to exercise their rights, and for Alcumus to respond efficiently to such requests in the statutory timescales.
- Review of consents – We have reviewed our existing marketing practices, and associated consents/other lawful grounds for processing, to ensure that these are transparent, fair and GDPR-ready. We have communicated these practices to our marketing teams across the Alcumus Group.
What are the implications for our customers?
We understand the time and resource that is required to ensure that organisations are GDPR compliant. In supporting our customers to manage their risk-exposure and abide by the legislation, we have developed a number of measures and enhancements, through standard features, toolkits and added value solutions. These include:
- Development of data governance modules to our software solutions.
- Provision of template data protection impact assessments, with user-friendly guidance on product-specific considerations.
- Advice on data retention and deletion.
- Stronger software access controls.
- Improved security requirements (e.g. introduction of data encryption at rest).
We understand that GDPR is an ongoing process and we will therefore continue to be in contact with all of our customers to progress our GDPR readiness project. If in the meantime you have any queries, please do not hesitate to contact us at firstname.lastname@example.org
Director of Legal and Compliance