Call +44 (0)1675 430 370 - Mon to Thur - 8.30am to 4.30pm, Fri - 8.30am to 2.30pm

How Hydrajaws made a plan of action to prepare for the GDPR.

At Hydrajaws we take the protection of both personal and business data very seriously, and always have. Therefore, the new General Data Protection Regulation (GDPR), effective from 25th May 2018, has given us a new and refreshing chance to look at our current policies and procedures and check they were fully compliant.

This is an account of our action plan and how we implemented it throughout our company. Use it as a guide for your own plan of action but please note the following disclaimer:

Hydrajaws will not be responsible for the procedures and safeguards other companies put into place to comply with GDPR. You are advised to also undertake your own research and come to your own conclusions for what you need to do. Like we did - you may find the information and rules to be a little bit vague and sometimes contradictory, and must interpret them in the best way possible for your company.

1. Decide who is in charge.

First we appointed someone to be in charge of the data protection within the company. This person would be responsible for the actions taken and the setup and upkeep of the procedures required.

This employee would be our ‘Data Protection Officer’ (DPO) and can be registered as such with the Information Commissioner’s Office (ICO). This is only a legal requirement for some companies (e.g. public authorities) but is a good idea anyway.

Having a DPO meant there was a point of contact for employees or a complainant to answer questions or advise on procedures. This person also attended various seminars and read many websites on this subject, they then drew up a list of actions to perform in order to comply with the new regulations.

2. Draw up a list of the types of data collected.

Our DPO began their plan by drawing up a list of all the types of data that was collected by our company. This had to include the entire operation of the company, from security (CCTV footage), employee payroll and health information, and third parties such as off-site server providers.

This involved meeting with various members of staff within the company and to representatives of suppliers.

This list helped us to identify any weak areas and gave us an idea of the actions that needed covering when writing up policies and procedures.

3. Identify any action needed and implement any procedures.

From the work done making the data collection list, our DPO could recognise any areas that needed tightening up and implement policies where needed.

This could be things such as :
-  locking the cupboard that contained any physical accounts information.
-  deleting old data that is no longer required.
-  educating staff about disposal of data.

Note: None of these specific details are mention in the GDPR – it’s up to us to decide what’s safe and what isn’t.

4. Document the company procedures for both employees and public.

Three documents were then created to cover the following:

                i. The company’s Data Protection policy regarding customers’ and the public’s data.
                ii. The company procedure for handling data, to guide our employees.
                iii. The company’s policy regarding employee’s personal data for staff to sign and agree.

i. As a companion to the company’s terms and conditions, a document was drawn up to describe the company’s policy and procedures for the storage and usage of customers’ data. This would describe their rights to have access to the data, the reason for holding the data and the termination of their data if requested. This would also contain our cookies information and our Hydrajaws app private policy – both of which are published online in the appropriate place.  

ii. A handbook was written up as a guide for employees to inform them of how to comply and what to do when handling data that is already stored or that is generated/comes into the company.

iii. A form was drafted up describing how an employee’s personal data is kept and used (e.g. payroll and health information). This form is signed by all employees to confirm they agree with the company’s policies and that they know their rights regarding the storage and usage of their personal data. 

5. Inform staff and public of the procedures put in place.

A copy of the Employee procedure handbook and the consent form was given out to all staff members. The forms were signed by staff and stored safely by the DPO. Small Data Protection posters were put up to remind staff of the  importance of data protection. Download a PDF copy here.

To inform the public (e.g. Customers and potential customers) - a summary section was placed in the terms and conditions with a reference (or link where appropriate) to the company’s data protection policy document (see 4.i).

Links were placed on our website, as well as a standard cookie consent notice.

6. Create a schedule for data protection procedures checks in the future.

 To ensure the procedures were be adhered to, and to keep them updated, a schedule was drawn up by the DPO.

This schedule would be a timetable of when the DPO performs actions such as :
- check data storage and procedures. Including checking all data held is still relevant.
- check any updates to legislation that needs implementing.
- check the systems at the company have not changed (e.g. a new data server installed).
- check any new members of staff have received the handbook and consent form.
- check any actions taken have been documented.

Some of the actions would be performed weekly and some annually depending on the amount of data involved.

Summary

Remember, the ICO won’t come calling at 4am in the morning with a ‘surprise’ inspection, but they will investigate if there is a complaint made against your company (usually by a disgruntled ex-employee or by a rival company). Having the necessary documents and paperwork in place, and showing evidence of attempting to protect data in the best way possible, will help defend against any incidents and hopefully avoid a hefty fine.

For details on creating your procedures see the ICO website at:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
or:
https://www.itgovernance.eu/blog/en/how-to-create-gdpr-compliant-documentation/

 

 
Posted: 14/05/2018 15:23:28 by Hydrajaws | with 0 comments
Filed under: data protection, GDPR


 
New thread