The new data protection regulations, the GDPR, come into effect across Europe on the 25th of May. The new rules are designed to ensure that data controllers – and data processors, like us – put in place rigorous measures to protect customer data.
No company or organisation is unaffected by the new rules, and all must be compliant by the introduction deadline in May.
Whilst it will be challenging for many companies to implement the new processes, devote the staff time and invest in the supporting IT systems necessary to be compliant, the GDPR is nevertheless to be welcomed as an important building block for the digital economy and should go some way towards restoring and maintaining consumer trust in the companies that engage with them through digital channels.
How has Púca been preparing for GDPR?
Here at Púca, we’ve been preparing for GDPR for some time now so we thought we’d share what are some of the activities and measures we’ve put in place to meet the requirements of the GDPR and to create a ‘compliance culture’ within our company:
PrivacyEngine & Sytorus
One of the key actions we’ve taken is investing in a company-wide compliance tool called PrivacyEngine, provided by data protection specialists, Sytorus, who we have also engaged to provide us with ongoing data protection consultancy.
PrivacyEngine is a powerful, user-friendly data protection application to help us implement, and demonstrate GDPR compliance. It includes features such as automated logs, built-in learning, document management systems, policy templates, reviews and access to ongoing expert advice from Sytorus, one of Ireland’s leading data protection practitioners.
Staff Awareness and Training
All of our staff have undertaken a series of training modules to ensure they are educated on our collective and individual responsibilities as data processors. Our technical staff have also undergone additional tech-focussed training to ensure they are up to speed on the latest security tools and technologies.
Audit and Log of Processing Activities
We have conducted a detailed audit of all of the processing activities we carry out both for ourselves (such as for HR and our own marketing purposes) and also those we conduct on behalf of our clients and have implemented a comprehensive Processing Activities Log that is recorded and maintained in the Privacy Engine portal.
Review and Risk Assessment of IT Systems
We have also conducted an extensive review and risk assessment of our IT applications and infrastructure, mapping out the customer data flows through our systems, identifying where there might be risks and putting in place actions to mitigate these risks. This work has been recorded and tracked in our IT systems log and risk register in Privacy Engine.
Updating of Company Policies and Contracts
We have reviewed and updated all of our company policies, ranging from our overall Data Protection Policy to our Information Security Policy to policies such as Clean Desk, BYOD and Website privacy. In addition, we have developed a GDPR-compliant Data Protection Addendum to our customer contracts. We have also reviewed and ensured that any sub-processors that we use apply the same level of data protection standards as we do
Subject Access Requests
We have put in place the technical and organisational measures required to be able to respond promptly to requests by our clients’ customers who want to exercise their rights under the GDPR such as the right to access their data and the right to have any data held about them deleted.Data Breach Notifications
Similarly, we have put in place new IT systems and administrative processes to report on data breaches and to inform and support data controllers were such an event to happen.
Customer Communication and Support
We have been communicating with our clients to keep them informed about what we are doing in relation to GDPR and supporting them in their own preparations. We have also set up a dedicated email address email@example.com to respond to any queries from our clients going forward.
That’s just a snapshot of some of the main activities we have been conducting but needless to say the process of maintaining appropriate security safeguards for our client’s data is very much an ongoing task and one that our team is well-trained in, and focussed on delivering to the highest standards.
To contact us about any issues relating to GDPR or data protection generally, please email firstname.lastname@example.org