Introduction
The European Union has taken a monumental step in protecting the
fundamental right to privacy for every EU resident with the implementation of
the EU General Data Protection Regulation (GDPR); this regulation seeks to
empower individuals to take control of their personal data and to support
organisations with their lawful processing of personal data.
The GDPR (which, regardless of the decision to leave the EU, will eventually
become law in the UK under the Data Protection Act 2018) is due to come in to
effect on the 25th May 2018 and will impact every organisation that holds or
processes personal data.
This replaces both the 1995 EU Data Protection Directive and the Data
Protection Act 1998, strengthening the rights that EU individuals have over their
data and, in theory, creating a uniform data protection standard across Europe.
It will introduce new responsibilities for all organisations including the need to
demonstrate compliance, more stringent enforcement and substantially
increased penalties.
Our commitment
At Warranty Administration Services Ltd (WAS) we are committed to high
standards of information security, privacy and transparency and have been
working hard to ensure we comply with the applicable GDPR Regulations from
May 2018.
We have been actively working on our GDPR strategy for the majority of the
previous year, scrutinising the new legislation to build a tailored programme of
change to further protect the fundamental privacy rights of all those we hold or
process data about and ensure diligent compliance across our organisation.
Our GDPR project team are focused on the strategy and implementation of
GDPR, and as part of our commitment towards our customers, suppliers,
affiliates and our own business the following preparations have been made;
- We brought in experts to produce an independent readiness assessment on
our company to evaluate how prepared we were for GDPR, allowing us to
identify gaps and risks.
- We then wrote a compliance programme to enable us to track our GDPR
obligations, including review of consent collection, privacy and retention policies
and privacy impact assessments.
- We have compiled a comprehensive data catalogue, detailing all of the
personally identifiable data that we hold and process within the organisation,
how it is stored and retained.
- We have confirmed our lawful purposes for processing personal information
within the new regulatory requirements.
- We have reviewed our information security processes to ensure they remain
robust.
- We are running dedicated training workshops, and new procedures have been
established. These are aimed at all staff to ensure they understand the basics
of the new data protection law, to highlight and reaffirm the importance of
personal data security and educate them on how to recognise and respond to
any requests made by data subjects in relation to their amended rights. We
believe passionately that staff awareness within our organisation is vital to
ensure our GDPR compliance.
- We are making changes to operational process and procedures to ensure all
requests from data subjects continue to be handled correctly, including how we
respond to requests for data portability, rectification and erasure of personal
data, access to information and the restriction of processing.
- We are amending our process for identifying and reporting potential data
breaches in line with the new regulations.
- We are updating our privacy policy to give further information about how we
collect, process and protect personal information, which includes not only that
of our customers but of our suppliers and affiliates.
- We will continue to make additional operational changes in keeping with the
latest industry best practices and will actively monitor ongoing regulatory
guidance and interpretations of key GDPR requirements to make sure we're
well informed and doing the right things both up to the deadline and beyond.
We will update our customers, suppliers and affiliates accordingly.
Changes we are making that you will see
To remove all risk of Personally Identification Information (PII) being seen on
any reports that we send we are going to remove the customer name. This will
still leave the registration number and stock number for you to identify the sale.
We will carry out an audit of report recipients to ensure that unnecessary copies
are not being sent, therefore reducing the risk of any data breach.
We will be introducing amended paperwork for warranties that are registered
post GDPR. This will include all the details required to ensure full compliance
with the change in law.
What should you do?
There is no substitute for suppliers and affiliates seeking their own legal advice
if they are unsure about the implications of the GDPR for their business, but we
have produced a list of actions that may help you with your GDPR compliance
planning;
- Review the current security and privacy processes you have in place and
where applicable, perform due-diligence on companies with whom you share
personal data and revise your contracts with third parties and customers to
meet the requirements of the GDPR.
- Audit your data and identify the Personally Identifiable Information/Personal
data that is being collected, paying particular attention to sensitive, or special
categories of data.
- Analyse how this information is being processed, stored, retained and deleted
and ensure you have a lawful basis for processing the data.
- Assess the third parties to whom you disclose data.
- Establish procedures to respond to data subjects when they exercise their
rights.
- Create processes for data breaches including identification and reporting.
- Ensure that all of the staff within your organisation are aware of GDPR and its
implications. Continuous employee awareness and training is vital to ensure
compliance to the GDPR.
- Ensure sufficient records of processing are kept to enable compliance with the
new ‘accountability’ notion.
For more information, you can visit the ICO website.
|
|