The Data Protection Act which was an EU directive (95/46/EC) which will be repealed on 25^th May 2018 to be replaced by the General Data Protection Regulation (GDPR) which will bring with it additional responsibilities for the capture, use, storage and dissemination of Personal Data.

There will be implications for both your Human Resources (HR) and Information Technology (IT) Departments .

Allan Webb Ltd our parent group is a proven technical documentation house with a commercial scanning facility. We are ISO 9001:2008 and ISO 27001 accredited.

If you hold any data in hardcopy relating to staff or and other persons you will need to understand that such documents are in the scope of GDPR and thus must be lawfully, processed and adequately protected from accidental or malicious disclosure and stored appropriately and be able to be retrieved efficiently.

The new act could mean a fine of 20 million euros or 4% of you worldwide turnover, whichever is more if you are found to be processing personal data unlawfully. Other fines can occur in the event of a data breach for which the Information Commissioners Office (ICO) are not informed within 72 hours of the breach being identified.

Not sure what documents you are holding in storage or generally in hardcopy?

Scanning your documents and working with them digitally in PowerRetrieve puts you in complete control. It gives you instant and permission based access to the documents you need. The searching function is easy and the system will only show users documents they are allowed to access so security of the document in also controlled. Audit logs are created to track users requests.

Contact us today to discuss the options available.

1. Awareness

Decision makers and key people in your business are aware that the law is changing to the GDPR and appreciate the impact this is likely to have. Your business has identified areas that could cause compliance problems under the GDPR and has recorded these on your organisation’s risk register. Your business is raising awareness, across your organisation of the changes that are coming.

2. Accountability

Your business has set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff. 

3. Information you hold

Your business has documented what personal data you hold, where that data came from and who it is shared with. Your business has planned to conduct an information audit across the organisation to map data flows.

4. Data Protection by Design and Data Protection Impact Assessments

Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Your business understands when you must conduct a DPIA and has processes in place to action this. Your business has a DPIA framework which links to your existing risk management and project management processes.

5. Data Protection Officers

Your business has designated responsibility for data protection compliance to a suitable individual within the organisation. Your business has appointed a Data Protection Officer (DPO) if you are a public authority or you carry out large scale monitoring of individuals or you carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Your business supports the data protection lead through provision of appropriate training and reporting mechanisms to senior management.

6. Lawful basis for processing personal data

Your business has reviewed the various types of processing you carry out. You have identified your lawful basis for your processing activities and documented this. You business has explained your lawful basis for processing personal data in your privacy notice(s).

7. Consent

Your business has reviewed how you seek, record and manage consent. Your business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.

8. Children

If your business offers services directly to children, you communicate privacy information in a clear plain way that a child will understand. If your business offers ‘information society services’ directly to children, your business has systems in place to verify individuals’ ages and to obtain parental or guardian consent where required.

9. Communicating privacy information

Your business has reviewed your current privacy notices and has a plan in place to make any necessary changes in time for GDPR implementation.

10. Individuals’ rights

Your business has checked your procedures to ensure that you can deliver the rights of individuals under the GDPR.

11. Subject access

Your business has reviewed your procedures and has plans in place for how you will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Your business has reviewed your procedures and has plans in place for how you will provide any additional information to requestors as required under the GDPR.

12. Data breaches

Your business has implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. Your business has mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage eg through identity theft or confidentiality breach. Your business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.