Getting ready for General Data Protection Regulations (GDPR)
Summary
Burmantofts Community Projects (BCP) has long been committed to keeping our clients’ data private and secure. We want to reinforce this commitment as we move towards compliance with the GDPR, BCP currently complies with all legislation relating to Data Protection.
Burmantofts Community Projects (BCP) has long been committed to keeping our clients’ data private and secure. We want to reinforce this commitment as we move towards compliance with the GDPR, BCP currently complies with all legislation relating to Data Protection.
What is GDPR?
On the 25th May 2018, the data protection system across the EU (including the UK) will change. GDPR will replace the provisions of the Data Protection Act 1998 (DPA). The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals, known as Data Subjects.
The following are the new rights for individuals under GDPR:
On the 25th May 2018, the data protection system across the EU (including the UK) will change. GDPR will replace the provisions of the Data Protection Act 1998 (DPA). The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals, known as Data Subjects.
The following are the new rights for individuals under GDPR:
- 1. Right to be informed
- 2. Right of access
- 3. Right of rectification
- 4. Right to erasure
- 5. Right to restrict processing
- 6. Right to data portability
- 7. Right to object
- 8. Rights in relation to automated decision making and profiling
BCP GDPR Statement
BCP are committed to achieving compliance with GDPR prior to the implementation of the Regulation in May 2018. We are taking many steps across the entire business to ensure we will be ready for GDPR. We are identifying what personal data we hold for our clients, why we hold it, where it is stored and for how long. We are already compliant with the Data Protection Act and our compliance with GDPR will build on this foundation.
Below is an overview of our GDPR road map and progress so far:
BCP are committed to achieving compliance with GDPR prior to the implementation of the Regulation in May 2018. We are taking many steps across the entire business to ensure we will be ready for GDPR. We are identifying what personal data we hold for our clients, why we hold it, where it is stored and for how long. We are already compliant with the Data Protection Act and our compliance with GDPR will build on this foundation.
Below is an overview of our GDPR road map and progress so far:
- Board approval and support from the whole business to undertake this important work – in progress
- Thorough audit of all areas of our business, products and services which are likely to be impacted by GDPR – in progress
- Identify all systems and locations that hold personal data to ensure we know whether that data is held, why we hold it and for how long – COMPLETE
- Develop a strategy and requirements for how to address the areas impacted by GDPR – COMPLETE
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – in progress
- Ensure that all members of the business are educated and informed about GDPR and the changes that will be required by our business – COMPLETE
- Test all of our changes thoroughly to verify and validate compliance with GDPR – in progress
- Finalise and communicate our full compliance prior to the deadline – to be announced prior to 25th May 2018
Consent
Consent is not required where the personal data is necessary for an employment contract, necessary to fulfil a legal obligation, for vital interests (life and death), in an official authority or the public interest or for a legitimate interest (things you choose to do but you must have a good reason for doing it).
Consent is not required where the personal data is necessary for an employment contract, necessary to fulfil a legal obligation, for vital interests (life and death), in an official authority or the public interest or for a legitimate interest (things you choose to do but you must have a good reason for doing it).
- Consent must be given unambiguous, freely given, demonstrable (written records), specific and informed.
- Opt out is not consent nor is silence assumed as consent.
- Consent must be as easily to withdraw, as it is to give. No imbalance must exist between the data subject and the data controller for consent.
Accountability and Record Keeping
- Need to ensure the relevant documentation is in place e.g. data protection and privacy policies.
- Carry out data protection impact assessments – we are in the progress of doing this
- Inform and train everyone on how to implement policies.
- Responsibility at the highest level for monitoring implementation of policies.
- Procedures for addressing breaches.
- The name and contact details of the data controller and the Data protection Officer (DPO) where necessary, the purpose for processing data.
- Description of categories of data subjects and categories of personal data.
- If it has been shared with whom.
- If it is being transferred out of the EU.
- Time limits to erase data (retention policy).
- Description of security measures in place.
Data Protection Officer
BCP will not be appointing a DPO. Where organisations do appoint a DPO a DPO will:
BCP will not be appointing a DPO. Where organisations do appoint a DPO a DPO will:
- Have “expert knowledge” of data protection law and to advise the data controller.
- Be involved in all issues which relate to the protection of personal data.
- Be required to attend regular training.
- Be involved in data protection impact assessments.
Data Protection Controller
BCP will be appointing a DPC, due to the size and nature of our organisation.. The DPC will:
BCP will be appointing a DPC, due to the size and nature of our organisation.. The DPC will:
- Be trained in GDPR and data protection regulations
- Be involved in all issues which related to the protection of personal data
- Be required to attend regular training
- Be involved in data protection impact assessments
- Be involved in the development of the data protection policies
Next Steps
We are currently reviewing our data security, privacy policies and processes to ensure that we are not only compliant but go further to ensure that your data is safe with us. Based on the research conducted both internally and externally, we are confident that the measures we have introduced will meet the requirements of GDPR.
We are currently reviewing our data security, privacy policies and processes to ensure that we are not only compliant but go further to ensure that your data is safe with us. Based on the research conducted both internally and externally, we are confident that the measures we have introduced will meet the requirements of GDPR.
Ebor Gardens Advice Centre, Money Buddies and Benefit Buddies are free, confidential, impartial and independent and are a Burmantofts Community Project
Charity Reg. Number: 1051368 Company Reg. Number: 3061633