On 25 May 2018 the new EU General Data Protection Regulation (GDPR) comes into force (this includes the United Kingdom regardless of its decision to leave the EU) and will impact each and every organisation that holds or processes personal data. It introduces new responsibilities, including the need to demonstrate compliance, more stringent enforcement and a significant increase in penalties compared to the current Data Protection Act (DPA) that it will supersede.
Simply put, individuals will now have greater say over how, why, where and when their personal data is gathered, processed and disposed of. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
Castleton has always taken our customers’ right to data privacy and protection seriously. We have demonstrated our commitment by adhering to the current UK Data Protection policy, and have revised our own internal policies in order to meet the requirements of the GDPR.
Castleton is, and has always been, committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards.
As we work to ensure we achieve compliance, we have engaged an external advisor to ensure we deliver best practice in compliance, and our programme up to May 2018 includes the following:
What we are doing to help our customers
Castleton is fully aware of our role in helping to provide the right tools, systems and processes to support our customers’ need to meet their GDPR mandate.
GDPR Statement of Compliance
We have engaged an external advisor to ensure we deliver best practice in compliance.
Customer Contracts: Have been reviewed and a renewed Master Services Agreement has been created to addresses GDPR compliance.
Data handling processes: We have undertaken a review of our data handling operations logging sources of data, data processing activities, data flows, the purposes of data processing etc. in addition to the controls in place to restrict access to data and to protect it.
Policy Development: We have reviewed/refreshed our range of policies including (but not limited to) our Data centre’s 27001 controls, Data Breach Policy, Business Continuity Plans, DPO appointment, Subject Access Requests, Individuals Rights, ICO Good Practice.
Data Impact Assessments & Data Inventory: We have undertaken a review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records. Assessments of the data have reviewed information flow, any data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.
Training & Awareness: We are conducting training across the Group on the GDPR and its impact on the new policies, procedures, and responsibilities of staff & stakeholders in this new regime.
Supplier & Partner relationships: We have catalogued all third parties to whom we disclose or share personal data, where relevant and related, we are using all reasonable endeavours to ensure that our third party and suppliers are complying with the GDPR.
Technology: we have reviewed our technology platforms to analyse their operation, security, compliance in order to ensure that they meet the standards we have laid down and identify any gaps and risks.
Controls: We will review the controls in place, on a regular basis and amend as required.