The new General Data Protection Regulations (GDPR) are effective across the UK and EU from 25th May 2018 and impact every organisation which stores or processes personal data. GDPR supersedes the current Data Protection Act (DPA) and organisations are required to demonstrate compliance or face substantial financial penalties.
AdviserPlus is committed to security best practice and already complies with industry standards, such as ISO27001:2013 and Cyber Essentials Plus. These certifications are subject to internal review and external assessment and we routinely review our security objectives to ensure we operate with the highest security standards.
How has AdviserPlus prepared for GDPR?
To meet the new privacy standard set by GDPR, we have taken the following action:
- Independent Review
Following a review by an external data protection consultancy, it was noted that AdviserPlus was in a strong position to comply with the standards already and only a small number of actions were identified to ensure full compliance by May 2018.
- Project Team
We assembled an internal, cross-functional team focused on implementing required processes and protocols.
- Supplier Review
We have reviewed all our supplier relationships to ensure we fully understand data flows and have the appropriate data contracts in place.
- Culture and Training Awareness
We have embedded GDPR as part of our culture throughout the business through GDPR awareness sessions and updating of internal processing procedures.
- Client Consultation and Engagement (as Data Processor)
We have consulted our clients and worked with them to support them with preparing for GDPR. This includes reviewing data processed, data flow maps, sub-processors / third parties, data retention, and use of data for benchmarking/statistical purposes.
- Privacy Notices
We have reviewed and introduced new privacy notices to comply with GDPR and updated our marketing activities to gather consent and updated our website for marketing and recruitment.
- Data Protection Policy
We have updated our Data Protection Policy and issued appropriate guidance to staff.
- As Data Controller
For processing of personal data as a data controller, we have reviewed and updated data retention periods and reviewed controls of internal systems and procedures.
For more information about how AdviserPlus has prepared for GDPR please contact our Data Protection Officer at firstname.lastname@example.org.