The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 and will impact every organisation that holds or processes personal data.
It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA), which it has superseded.
Leask Accountancy Solutions approach to GDPR
We are committed to implementing and maintaining high standards of information security, privacy, and transparency. We intend to impose strict rules on ourselves for protecting and managing data in accordance with the GDPR and other applicable regulations – including the PECR.
We will comply with applicable GDPR regulations. We have started the process and aim to complete our GDPR compliance changes on or shortly after when they take effect in May 2018. As a data processor, we will be working closely with our customers and partners to meet contractual obligations for our procedures, products, and services.
We will seek to embed the GDPR into our operating principles and ensure our employees are constantly mindful of its importance to them as data subjects and that they should consider it always when dealing with other people’s personal data.
What we have done
We recognise that GDPR is a specialist area and have purchased a Workbook solution created and supported by a professional organisation. We are now part-way through the various processes required to achieve compliance.
In more detail, what we are doing is…
We are working through all the 12 step GDPR process laid out by our advisors, focussing on the personal data we hold for our customers, clients, suppliers, and vendors.
We are preparing our staff for the GDPR by making them aware of their responsibilities in respect to other people’s data and ensuring that they in turn know how we deal with their personal data.
We are updating all our policies and procedures in light of the GDPR.
We are updating our notices and system procedures so that all data subjects are aware of their rights and freedoms.
We are continually investing in technology so that we can be sure that all the data we hold is kept secure, trackable and that we are able to find it easily to delete/destroy/remove on request or when it is out of date.
We are removing all the personal data we no longer need or do not have a lawful basis for holding onto, and where we need to process personal data we are seeking consent if required and or defining the lawful basis under which we are able to process the data.
We are implementing an incident management and breach reporting process so that should an issue arise with any personal data we can quickly and efficiently detect and report the problem, including notifying the ICO and individual data subjects if required.
What we ask others to do
Where we share data with 3rd parties we are updating relevant contracts and agreements so those 3rd parties are legally bound to take care of our personal data. This will enable us to ensure those 3rdparties fall within our compliance guidelines.
If we are going to process personal data form a 3rdparty, we ensure that they have the right to send us that data. Once we receive it we will notify the individual data subjects that we have it and what their rights are.
We will ask all our employees to undertake regular awareness training so that they can respond to data subject requests and recognise what an incident or breach is and know where to report it.
Who to contact.
If you require more information about how we are progressing with the GDPR obligations, please email [firstname.lastname@example.org].