GDPR & Compliance

Providing Managed IT Support in Hampshire for businesses since 1999

GDPR Compliance for business

What is GDPR?

The General Data Protection Regulation (GDPR) replaced the data Protection Directive of 1995 and came into effect on 25 May 2018 as common law. GDPR applies to organisation’s doing business with the EU and deals with the protection of the personal data of EU citizens. GDPR requires that any breach of data is reported in the UK to the Information Commissioner’s Office (ICO).

The Rights of the Data Subject

Every business owner must be aware of their obligations to not only their customers but to their staff and business partners as well.

These Rights Include:
  • Information: What data will be collected and what will be done with it
  • Access: Allow the data subject to see the data after it has been collected
  • Rectification: The data subject can have the data corrected after collection
  • Erasure (right to be forgotten): Removal of data if there is no legal right to hold it
  • Restriction of processing: No processing of held data if requested not to do so
  • Notification of rectification or erasure: Inform other data processors of the data subjects wishes
  • Data portability: Ability for the data subject to easily transfer the data to another processor
  • Object: Taking account of objections to what you hold and do with their data
  • Object to automated decision making: Ask for a human to override decisions made by algorithms

The Role of the Data Protection Officer (DPO)

Through their normal working practices, each business collects a variety of types of information about the customers, staff and even other businesses that they work with. For those organisations that are required to have one, it is the responsibility of the DPO to ensure that their business remains GDPR compliant.

A DPO:
  • May be a part-time or shared external resource
  • Requires relevant knowledge and experience of data protection law
  • Must have direct access to highest management level
  • Must have no conflict of interest within the organisation (cannot work in your IT department)
  • Monitors compliance and provides advice and guidance on issues of data protection
  • Primary contact point with the supervisory authority (Information Commissioner’s Office)
  • Must remain independent and not be influenced by an organisation
  • Must be directly accessible by the data subject
  • Must be bound by confidentiality

The Data Protection Impact Assessment (DPIA)

DPIA must be performed where processing is likely to result in a high risk to the rights and freedoms of natural persons.
What does the Assessment Include?

  • A description of processing and operations of the data
  • An assessment of the necessity and proportionality of the processing
  • An assessment of the risks to the rights and freedoms of data subjects
  • The measures envisaged to address the risks
  • Evidence of compliance with approved codes of conduct
  • A statement as to whether data subjects have been consulted

Greenpoint will Guide You Through the Process

Each company is unique and our approach would reflect this.
However, there will be a general process that every business will take to GDPR compliance:

  1. The Assessment -Greenpoint will Carry out a full DPIA of your business.
  2. The Plan -Taking the DPIA, we’ll work out what to do and how to do it.
  3. Implementation – We’ll initiate our plan to implement polices and procedures whilst putting in place services and solutions around your IT infrastructure to fill in your compliance gaps.
  4. Ongoing Support – We’ll inform you of regulation changes to help keep your compliance up to date

Does Your Business Need Help With GDPR?