General Data Protection Regulation (GDPR)

Streets Heaver Computer Systems – Statement of Compliance

 

Introduction

The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data or sensitive personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Those penalties can be fines of up to 20 million euros or 4% of global turnover, compensation claims for damages suffered and reputational damage and loss of trust.

Another key change to GDPR is that the processor of the information can be just as liable as the controller, before it was the controller who was responsible for the safety of data.  So, for example, if you host your system with a data centre both yourself and the datacentre are now responsible whereas before it would have only been you.

You will have to be GDPR compliant if you process and personal information of anyone in the EU regardless of where the data is held, this is another key change, before you could abide by the laws of the country the data was stored in.  Now it is about the individuals you hold data on.

Streets Heaver Computer Systems is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001. The company will comply with applicable GDPR regulations when they take effect in May 2018, including as a data processor, while also working closely with our customers to meet contractual obligations for our procedures, products and services.

The company is focussed on building on existing security and business continuity management systems and certifications, including ISO 9001, 27001 and IGSoC, to ensure our own compliance.  We are also committed to producing programmes to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency

It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

 

Compliance

Streets Heaver Computer Systems has a robust ISO-based Management System (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS. Led by our QA Manager, updated information security policies and procedures will build on existing management systems, informed by data flow mapping, gap analysis and data protection impact assessments.

This will be further enhanced and supported by communication and training programmes.  Including induction training and annual refresher programme.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

Streets Heavers QA Manager will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

In many areas the hosted services provided by Streets Heaver already conform. As data processor, the company is undertaking risk assessments to include more detailed consideration of the data types we hold, and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention will be reviewed and updated.

 

Streets Heaver Computer Systems software applications

Streets Heavers broad range of software applications are used to provide efficient and high-quality services. As such the company is committed to providing technology solutions to support customers’ GDPR obligations, whether through standard features or added value solutions or toolkits.

All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.

 

Addendum to Contract

To request a copy of our contract addendum for GDPR please e-mail:
compliance@streets-heaver.com

 

Contact

If you have any questions about our preparation for the GDPR, please contact:
David Skinner, QA Manager, Streets Heaver
compliance@streets-heaver.com

Useful information can be found by contacting the ICO or Information Governance.
https://ico.org.uk/
https://digital.nhs.uk/data-security-information-governance