Data Protection (GDPR)
Protect personal data, earn data subject trust.
We need to protect personal data in our modern, on-line world. Comprehensive data protection legislation provides a framework for achieving this, and the EU General Data Protection Regulation (GDPR) was introduced in May 2018 across Europe. InfoSaaS has helped many organisations to properly understand GDPR and to ensure they remain compliant with its many requirements. Within the UK, GDPR is delivered as the UK Data Protection Act 2018 (DPA) under the supervision of the ICO. Regardless of your global location, best practice in data protection will help protect personal data, reassure your customers, and reduce the opportunity of significant financial penalties for non-compliance with the law.
Understanding GDPR's Requirements
If you acquire, process or store personal data, you should fully understand and be able to demonstrate compliance with GDPR. However, with significant requirements around the assessment of personal data processing, the differing roles of data controllers and data processors, the increased rights of data subjects and the significant penalties if things go wrong, this may seem a complex and daunting subject to address. If help is needed our qualified, experienced data protection specialists would be pleased to assist you with taking control of your compliance.
GDPR specifies a mandatory set of documentation and records that need to be produced and maintained – this is to ensure your organisation can demonstrate that it remains legally compliant with all of its obligations to protect personal data.
The Regulation defines roles and responsibilities, the requirements for privacy notices, the need to examine data process activities, procedures for delivery responses to data subjects’ rights request, procedures for reporting personal data breaches and much more besides.
Thankfully, InfoSaaS provides a range of solutions, policies, procedures, forms and informational guides to assist. These have proved to be invaluable for organisations of all sizes and complexities in recent years.
Data Audit Workshops
If you are to be compliant with data protection legislation, you need to identify, categorise and assess all types of personal data. This will include understand why it is acquired, how it is protected, which personnel or systems have access to it, which organisations it is shared with, how long it is retained for, and much more.
The best means of understanding this activity is to a data audit workshop, led by one of our data protection specialists, which will provide a comprehensive understanding of your data estate.
Data Protection Impact Assessments
Article 35 of GDPR requires that Data Protection Impact Assessments (DPIAs) are conducted in certain circumstances. These can be considered to be a focused risk assessment as to how personal data is protected as it passes through a data processing operation.
Our InfoSaaS solution provides an intuitive DPIA solution to guide users through the complexity of undertaking such an assessment. The resulting report highlights any issues or areas which require improvement, a report which can optionally be shared with customers, stakeholders or regulators.
Data Subject Rights Requests
Articles 15-21 of GDPR mandate a set of rights for data subjects in relation to the processing, storage and retention of their personal data.
The InfoSaaS software service includes a repository and GDPR-compliant workflows which allow any data subject requests which are received to be validated and managed to completion in line with the requirements of the Regulation.
In addition, our GDPR Document Pack includes comprehensive procedures and supporting forms that are easy to customise.
Supply Chain Considerations
Your suppliers may have a valid requirement to access or process your personal data repositories – either of your own personnel’s data (e.g. a payroll bureau) or to that of your customers’ (e.g. those delivering a contracted service). You have a responsibility to assess their compliance with GDPR obligations as a data processor before sharing any personal data with them.
Such an activity will need to assess whether effective technical controls are robust, which systems are in place to detect and report personal data breaches, and understand commitments that are necessary to co-operate with data subject requests, amongst others. Such obligations are typically included within contracts or formal Data Processing Agreements.Supplier Capability Assessments
Providing Effective GDPR Training
Your personnel (and any third-parties such as contractors) must understand their responsibilities for the protection of personal data, including agreements on how it is obtained, managed, processed, stored and disposed of, and your organisation’s data protection policies and procedures. Informative data protection training is essential.
Staff also need to understand how to identify and report personal data breaches, and how they are to co-operate with the processing of received data subject requests. We would be pleased to propose a suitable data protection training framework which delivers your organisation’s individual training and educational needs.
Virtual Data Protection Officer
A Virtual Data Protection Officer (DPO) may be the most appropriate way of providing strategic and operational leadership on data protection matters to organisations that may not be able to justify a full-time resource. Certified DPOs are an expensive resource: as an alternative you may decide to use a Virtual DPO from InfoSaaS.
Our VDPO service allows you to benefit from their time and experience on demand, on a part-time and often remote basis. If you would like to discuss how a Virtual DPO could benefit your organisation, please contact us for a confidential discussion.Contact us