The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. The GDPR is intended to strengthen data protection for all individuals within the EU and all organizations conducting business within the EU (regardless of the organization’s location) will be expected to comply with these regulations when dealing with EU residents.
Key decision-makers within CK Contracts Ltd. are fully aware of the upcoming changes to the EU data protection legislation. We are in the process of conducting a data audit and a data protection risk assessment of our EU and Non-EU-data business’ wide and to design improvements to our standard procedures and/or documentation.
We are in the process of developing and executing a training plan to educate our employees of the importance of GDPR and of any changes being introduced to the business to comply with the GDPR.
We are auditing all categories of personal data controlled and processed by CK Contracts Ltd. and on behalf of our Customers, to determine at which point CK Contracts Ltd. is the data controller processor and/or co-controller. This includes reviewing our processes for acquiring, holding, accessing and sharing personal data, as well as revising our data retention policies.
Communicating Privacy Information
We are revising our privacy notices to ensure that these comply with the additional information requirements which will be required by the GDPR. We are also reviewing our standard operating procedures to ensure that all privacy notices are made available to the relevant individuals timeously.
We are also reviewing our contracts with suppliers, partners and customers to assess any new data protection requirements.
In some instances, CK Contracts Ltd. has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to info@CKContracts.co.uk.
The rights of individuals with respect to their personal data will be enhanced by the GDPR, so we are revising our standard operating procedures as well as our data storage and IT systems to ensure that we will be able to comply with any exercise of such rights. We are developing procedures to respond to a request for access to personal data, an objection to processing or a request for deletion of data.
Subject Access Requests
We are developing and/or implementing our processes around providing access to personal data in the event of a subject access request to ensure that we can comply within the new (shorter) timeline. In connection to this, we are updating our standard operating procedures around data storage and data retention to ensure we are not holding unnecessary personal data.
Lawful Basis For Processing Personal Data
As part of our data audit, we will identify the categories of personal data we hold and what processing activities we undertake and we have determined the lawful justification for each. In general, most of our processing activities as data controller or co-controller are required in the performance of a contract or in the legitimate interests of our business (without having an undue impact on the fundamental rights and freedoms of the individuals involved). Additionally, we act as data processor for many our customers, so we are revising our data processor contracts for compliance with the GDPR.
Our privacy notices will be updated to specifically explain the lawful basis of our processing activities.
In the limited circumstances where we will need to rely on consent of the data subject for the processing of personal data, we will have all appropriate procedures for seeking, recording and managing consent in accordance with the enhanced requirements of the GDPR.
In the course of doing business, we do not process any personal data relating to children and our services are not directed towards children. As we may process personal data relating to children on behalf of our customers we are reviewing our data processor contracts and our standard operating procedures to ensure compliance with the additional safeguards afforded to children and their personal data.
We will update our privacy notices based on client requirements.
We take data breaches very seriously, so although we already have a data breach procedure in place, we are updating and improving all processes for detecting, investigating and reporting data breaches.
Data Protection Impact Assessments
If we decide through the course of our project new initiatives which would require a data protection impact assessment, we will follow our standard operating procedures for future use to ensure that we consider the privacy impact on individuals as part of our overall assessment of new projects.
Data Protection Officer
We have appointed a Data Protection Officer to fulfil the role of ensuring our on-going compliance with data protection regulations.
If you have any additional Compliance questions, please feel free to email info@CKContracts.co.uk