We have hired a dedicated Data Protection Officer (‘DPO’)
Under Article 37 of GDPR there is a requirement to appoint a DPO for certain data processing activities.
Going beyond GDPR requirements, we have taken the step of appointing a DPO who is focused solely on ensuring the security of your data.
We are making sure we have GDPR aligned contractual terms in place with you
Under Article 28 (3) of GDPR, any processing you engage us to carry out for you must be governed by a contract between us.
GDPR requires particular information to be contained in that contract and we are drafting a GDPR aligned legal document for you in time for May.
Expect to see a Data Processing Addendum (DPA) arriving for signature any day now.
We are updating our policies and procedures to reflect GDPR requirements
The changes GDPR is bringing in need to be reflected in our business processes.
In accordance with Article 24 (2) we are updating our internal policies and procedures and implementing new ones where necessary.
For example under Article 33 a new obligation exists for data breach reporting and we have a new procedure in place to reflect this new obligation.
Under Article 28 (3) (h) we also need to be able to demonstrate that our processing is GDPR compliant. One way we can do that is to provide you or the ICO (the national data protection authority) with copies of our documented policies and procedures.
We are reviewing and updating our contractual terms with our sub-processors
Under Article 28 (4) we are responsible and liable for any processing carried out on our behalf by our sub-processors.
We are undertaking due diligence to ensure that all processing that is undertaken by our sub-processors is GDPR compliant.
This includes ensuring that our US based sub-processors have GDPR level security measures in place to protect your data.