Last updated: 16 August 2018
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU) and will be enforceable from May 25 2018 and requires no enabling legislation so automatically becomes binding and applicable on that date.
The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.
The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Rapid Information Systems places a high importance on information security and within our Group we are already implementing a number of standards that also focus on information data security including IS27001, and Cyber Essentials.
Rapid Information Systems are:
– Processors for our hosted client data
– Controllers of our client and supplier contact information, required to; manage & deliver services under contract; manage customer requests & incidents
– Controllers for personnel information in relation to Six Degree Group companies employees
Our GDPR principles
– We will process all personal data fairly and lawfully
– We will only process personal data for specified and lawful purposes
– We will endeavor to hold relevant and accurate personal data, and where practical, we will keep it up to date
– We will not keep personal data for longer than is necessary
– We will keep all personal data secure
– We will ensure that personal data remains within the European Economic Area (EEA)
During our journey to GDPR compliance Rapid Information Systems has been and is continuing to work very closely with an external adviser to ensure we have the expertise required to implement the legislation requirements accurately and comprehensively.
We view GDPR as a constant programme of works that will require continuous monitoring, management and improvement.
Work streams and actions taken
The table below shows the main activities to ensure compliance:
|Data Impact Assessments & Data Inventory||We have undertaken a review of the data we store, manage, maintain, collect,process and control. This includes offline storage and paper records. Assessments of the data will review information flow, any data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.|
|Website Data Collection & Consent, Privacy Notice||The Rapid Information Systems privacy notice has been updated to cover the new GDPR requirement on individuals|
|GDPR training and awareness||Internal staff briefings and training have been carried out and senior management are aware of their corporate responsibilities.|
|Supplier & Partner relationships||These are under review to ensure GDPR compliance is satisfactory from our third parties. Where required, GDPR supplier agreements are being completed to ensure that our third party and suppliers are complying with the GDPR.|
|Technology reviews||We are reviewing our technology platforms to analyse their operation, security, compliance in order to ensure that they meet the standards we have laid down and identify any gaps and risks.|
|Privacy by Design||This now forms a compulsory consideration for all technical design alongside ‘security by design’.|
|DPO appointment||We have nominated a DPO within Rapid Information Systems. They can be contacted at firstname.lastname@example.org|