In 2012, the European Commission began a process to reform Europe’s existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and will take effect on 25 May 2018. GDPR aims to make data protection regulations:
- More relevant: Updating EU data protection standards to make them more suitable for today’s world
- More comprehensive: Remedying some of the perceived deficiencies of the current Data Protection Directive
- More unified: Achieving a better, more harmonised standard of data protection throughout the EU
What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
Demonstrable compliance: While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
Enhanced rights: On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design: Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
What is PODFather doing about GDPR?
At PODFather, we take our responsibilities under GDPR seriously. To fully comply with European Union General Data Protection Regulation (EU Regulation 2016/679), PODFather shall:
- Keep all personal information (including employee information) secure, regardless of its format or category, or the process or activities which use it, to prevent accidental or unauthorised loss, theft or breach.
- Maintain a full and accurate inventory of all personal data which is under its control.
- Provide regular data protection training to all personnel and third parties who are engaged in delivering any activity which involves the processing of personal data.
- Provide specific data protection training for those employees with specific GDPR responsibilities, including Senior Management and the organisation’s GDPR Lead.
- Ensure that all data processing activities are subject to full and accurate Data Protection Impact Assessments, and promptly acting to remediate the findings of such assessments.
- Ensure that personal data processing activities are afforded suitable protection by conducting risk assessments of the physical, technical and personnel elements of the activity.
- Validate that personal data is afforded the protection which is documented within the Acceptable Use Policy and Access Control Policy.
- Only process personal data for legitimate business purposes, and in accordance with the Data Protection Impact Assessment which has been prepared to cover that purpose.
- Ensure that all personal information is properly returned or effectively deleted or destroyed when it is no longer required.
- Implement a suitable mechanism and supporting records for recording data subject consent for the processing of their personal data and using these records as a reference point when deciding how personal data is to be processed.
- Clearly communicate to data subjects how their personal data is to be processed, where it is to be transferred to (if applicable), and their rights as data subjects.
- Maintain clear and concise Privacy Notices, and related information for data subjects.
- Ensure that third parties involved in personal data processing activities understand this Policy and related GDPR documentation and can evidence their own levels of GDPR compliance.
- Ensure that effective processes, technical controls and competent resources are in place to undertake tasks promptly and diligently related to delivering the rights of data subjects.
- Implement effective processes and monitoring controls to provide protection for personal data, and to detect any loss, theft or data breaches.
- Authorise any off-site or offshore processing of personal data before being approved and updating and reissuing the corresponding Data Protection Impact Assessment.
- Undertake to promptly report any actual or suspected data breaches to the Information Commissioner’s Office within the required timeframes, and to communicate the breach to affected data subjects.
- Willingly and fully co-operate with any investigations into data breaches as may be required by the Information Commissioner’s Office.
Any questions related to the operation of this policy should be directed to the GDPR Lead. The GDPR Lead can be contact using the e-mail address: firstname.lastname@example.org