What is the GDPR
The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will impact every organisation that holds or processes personal data.
It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA), which it will supersede.
Courts Design’s approach to GDPR
Courts Design is committed to implementing and maintaining high standards of information security, privacy, and transparency. We impose strict rules on ourselves for protecting and managing data in accordance with the GDPR and other applicable regulations – including the PECR.
We will comply with applicable GDPR regulations when they take effect in May 2018. As a data processor, we will be working closely with our customers and partners to meet contractual obligations for our procedures, products, and services.
We seek to embed the GDPR into our operating principles and ensure our employees are constantly mindful of its importance to them as data subjects and that they should consider it always when dealing with other people’s personal data.
What we have done
We recognised that GDPR is a specialist area and commissioned a professional organisation to advise us. We asked GDPR Auditing to help us with our GDPR programme, they performed a thorough independent audit of our readiness for GDPR. Following the audit, we set about creating a compliance programme for implementing all the recommendations identified in the audit report.
What we are doing
We are working through all the recommendations proposed by our advisors, focussing on the personal data we hold for our customers, clients, suppliers, and vendors.
We are preparing our staff for the GDPR by making them aware of their responsibilities in respect to other people’s data and ensuring that they in turn know how we deal with their personal data.
We are updating all our policies and procedures in light of the GDPR.
We are updating our notices and system procedures so that all data subjects are aware of their rights and freedoms.
We are continually investing in technology so that we can be sure that all the data we hold is kept secure, trackable and that we are able to find it easily to delete/destroy/remove on request or when it is out of date.
We are removing all the personal data we no longer need or do not have a lawful basis for holding onto, and where we need to process personal data we are seeking consent if required and or defining the lawful basis under which we are able to process the data.
We are implementing an incident management and breach reporting process so that should an issue arise with any personal data we can quickly and efficiently detect and report the problem, including notifying the ICO and individual data subjects if required.
What we ask others to do
Where we share data with 3rd parties we are updating relevant contracts and agreements so those 3rd parties are legally bound to take care of our personal data. This will enable us to ensure those 3rd parties fall within our compliance guidelines.
If we are going to process personal data form a 3rd party we ensure that they have the right to send us that data. Once we receive it we will notify the individual data subjects that we have it and what their rights are.
We will ask all our employees to undertake regular awareness training so that they can respond to data subject requests and recognise what an incident or breach is and know where to report it.
Who to contact.
If you require more information please email firstname.lastname@example.org