The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 which will impact every organisation which holds or processes personal data. It has introduced new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act which it will supersede.
Henderson Loggie is strongly committed to protecting the privacy of personal data that we maintain about our clients, employees and other individuals. As part of this commitment to privacy, we have reviewed our data protection practices to comply with the new legislation, updated industry standards and best practices. We are committed to being GDPR compliant, both as a Data Controller and as a Data Processor.
We have always taken in consideration our clients privacy rights and we will continue to do so ensuring that we have appropriate organisational and technical measures in place to protect our client data within the new standards. In addition, we are also committed to ensuring that our partners and key suppliers are compliant with data protection legislation and are made aware of the changes to our policies and procedures.
What have we done?
Henderson Loggie began preparing and pursuing compliance in 2017. The GDPR is a complex legislation, and we’ve been working extensively to be sure we’re compliant with this new regulation in order to ensure that our clients and key partners can be certain that they are dealing with a GDPR compliant business. We will continue to monitor our compliance with the updated legislation beyond 25 May 2018.
Here is a summary of our GDPR compliance progress detailing the various elements we’ve been working on in order to comply:
- Appointed a Data Protection Officer
- Revised our Standard Terms of Business to reflect our data protection responsibilities as a data controller and a data processor
- Updated our Privacy Notice
- Updated our activities and associated policies and procedures as necessary in order to comply with GDPR following a thorough assessment
- Developed procedures to allow us to respond to subject access requests and to report data breaches within the statutory timescales, and where required, to ensure that our clients promptly notified
- Mapped our data flows and created of a precise inventory of all personal information that we control, including identifying our lawful basis for each activity
- Implemented an email subscription service
- Began a phased implementation of our secure client portal
- Strengthened our user access controls for all of our systems
- Developed a longer-term strategy addressing further technical measures that we plan to put in place
- Implemented a programme of data protection training for all staff
- We continue to work towards further accreditations that demonstrate our commitment to information security, including personal data, such as Cyber Essentials