Version:1; Approved By: Board of Trustees; On: July 2018; Review Date: July 2019; Author: Damian Brown
The General Data Protection Regulation (GDPR) comes into force on the 25th of May 2018. It was introduced to unify all EU member states approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it’s shared.
Organisations can be fined for breaching GDPR rules, normally where the regulator identifies systematic failure, rather than a one off occurrence.
The steps that have been taken
We have followed the 12 steps in readiness for GDPR to review compliance across the 3 organisations, these are: Awareness; Information you hold; Communicating Privacy Information; Individuals’ rights; Subject Access Requests; Lawful Basis for Processing Personal Data; Consent;
Children; Data Breaches; Data Protection by Design and Data Protection Impact Assessments; Data Protection Officers; International
We have a full action plan and documentation to ensure we are compliant and actions in place where further work is required. GDPR is an extremely complex topic but this briefing is designed to let you know how it affects you.
What does this mean to me?
You need to be confident when you are handling or processing data that you are doing this correctly. The easiest steps to take are to ask yourself the following questions.
- Should I have this data, am I authorised to see it and is it securely captured/held?
- Has the person given consent for me to have their data and for what purpose?
- Am I processing it lawfully and for the purpose for which it was given?
- Once I have processed it, should I delete it (in most cases that will be Yes)
And, as part of the process or at the end of the process, am I sharing this data with someone else, in which case this needs to be done in a secure way such as using encryption or links to online files.
Whilst this might feel a little overwhelming at first, in the vase majority of cases, you will be already doing this correctly, with the required authorisation to proceed.
The main data flows within the organisations have been assessed and with some small tweaks are deemed to be compliant. You will receive additional training and help in managing data and files by using tools such as the data retention tool within Outlook.
The Data Protection Officer (DPO) is here to support you and if you are unsure about anything, please make contact (in confidence) with Damian Brown, firstname.lastname@example.org or 07850 913051.
In addition to the briefings, Instructus has produced two key documents to help you understand the
organisation’s approach to GDPR and your responsibilities as an employee or contractor.
- Instructus Privacy Standard, this details the approach to how Instructus and its subsidiaries collect and use personal information during and after your working relationship with us
- Instructus Data Protection Policy, this details how Instructus and its subsidiaries use personal data and what the expectation on employees, workers and contractors
These documents have been loaded into the company HR system for direct employees and are available to all non-direct employees. Its important you read through these and note any concerns or clarifications you require. Whilst GDPR is an organisations responsibility to get right, employees and contractors have a personal responsibility to comply with GDPR.
If you want to find out more about GDPR, there are supporting resources available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Does this mean I need to delete all the data I have?
- Not necessarily. If you have access to identifiable, personal or sensitive data which you need to
perform your job and you have the consent to hold this information you don’t need to delete but be aware that you should only be using it for the purpose intended. If you have finished on a report and no longer require the data, you should delete it or store it securely in line with the data retention policy for that type of data.
- I want to know what data the organisation holds on me and for what purpose.
- Contact the Data Protection Officer (DPO) for a confidential conversation about your concerns or to make a subject access request. Damian Brown, email@example.com, 07850 913051
- Someone has asked me about a subject access request, what do I do?
- Contact the Data Protection Officer (DPO). Damian Brown, firstname.lastname@example.org, 07850 913051
- Does this mean I can’t contact potential customers about a sale?
- Our CRM systems will be compliant and we will have consent to contact customers after the 25th of May. If someone has contacted you via email to discuss a sales enquiry you should continue to correspond with them as normal however you need to ensure (at the appropriate time) you ask for their consent to pass their details into our CRM.
- I have emails from many years ago containing personal information.
- We will be supporting individuals over the coming months with data retention tools. If you are holding data which is no longer relevant then you should delete it or contact the person to obtain their consent to hold onto it for longer or pass into the CRM.
- I’ve got a memory stick with personal information on, what should I do.
- Firstly, is the data still relevant to be held. If not, then it should be deleted. If you feel it is still relevant to hold, establish where it should be stored and move the data to a secure location, ideally Share point or similar. Familiarise yourself with the data retention policy relating to the type of information you are holding so you can be sure you are compliant.
- I am worried about something but don’t know what to do?
- Contact the Data Protection Officer (DPO) for a confidential conversation about your concerns. Damian Brown, email@example.com, 07850 913051
- I use portable memory sticks for sales presentations and training materials, what do I do?
- It is unlikely you will have any personal information on these materials so they should be safe to keep. Ensure you are familiar with the content and if it can be used to identify an individual, refer back to the guidance on data retention.
- Can I keep data on a personal device?
- If you use a personal device for work purposes, you need to speak to your manager about whether this is appropriate. In some case, for example for presentations, this may be suitable. Device authentication will be introduced this year which will protect our network so that only devices that we know are authorised can be used. If you are using a personal device you must ensure it is secure and you must treat data in exactly the same way you would on a work device.