The General Data Protection Regulation (GDPR) affords Data Subjects with new or increased rights regarding the handling of their Personal Data. It also places greater responsibilities on businesses to ensure the data they process and hold is sufficiently protected.
With GDPR coming into force on 25th May 2018, we are well underway in our preparations to ensure WeAnswer is fully compliant.
It is worth noting that there are still areas of ambiguity regarding the interpretation of GDPR. Until the Data Protection Bill has been passed and case law developed, some of these areas are still subject to change.
We have therefore put together our project plan based upon the latest legal commentary, external GDPR consultation, and thought leadership content from across the industry. We also have a dedicated GDPR Project Team tasked with ensuring we are fully compliant by the May deadline.
Here we provide an outline of our preparations and approach.
Company Obligations
As a Data Processor, WeAnswer will have its own requirements under GDPR. But we will also have more obligations to the Data Controller than ever before.
Our reviews have considered not only what is required to be compliant, but also how we can help our clients meet their obligations.
An integral part of our GDPR project has been building engagement within the Company. In order to become fully compliant we need input from all departments of the business. It is therefore important that every department understands the changes we needed to make and the reasoning behind those changes.
Data Mapping and Data Protection Impact Assessments (DPIA)
Our starting point has been to identify all the Personal Data processed and held by the company. This ‘Data Mapping Exercise’ has been integral to our GDPR project, not only for identifying the information and areas requiring review, but also as a foundation for policy and process reviews.
Thanks to this exercise, we have started developing new templates for Subject Access Requests (SARs) and Data Protection Impact Assessments (DPIAs).
As well as reviewing our Data Mapping annually (or when a new process is implemented which requires the processing of Personal Data), we also have added new requirements to complete full DPIAs when introducing a new supplier acting as a Data Processor.
We’ve also introduced DPIAs and data protection risks to our monthly quality review meetings. This allows us to constantly review and mitigate potential risks to the data we hold.
Policy Reviews
GDPR affects all aspects of our business so we have had undertaken a full policy review to ensure inclusion of the new GDPR requirements where necessary.
New or amended policies are being made available to all staff via our intranet and training processes reviewed and reissued where required.
Data Protection Officer
Under the advisement of external GDPR consultants, we have determined that we do not need to appoint an external Data Protection Officer at this time.
Call Handler Script
GDPR is all about transparency – identifying to the Data Subject what data is being processed, transferred and stored, and why.
We are in the process of reviewing the data protection notices callers hear before they connect to our agents, and updating these where required.
Data Processing Agreements
Processing and transferring data on our clients’ behalf is a core part of our business, so Data Processing Agreements are an essential part of our business practice.
GDPR requires certain prescribed stipulations to be included but also outlines other topics which have to be addressed in the course of the agreement. Our new Data Processing Agreements have been drafted with this in mind and are now required as standard for all new clients.
Existing clients affected by this requirement will be contacted regarding these changes. Data Processing Agreements help us to clearly outline the Data Protection obligations of all parties, and for providing peace of mind for service users.
Subject Access Requests and Data Portability
A new right – Data Portability – is afforded to Data Subjects under GDPR.
Having completed our Data Mapping exercise, we’re in the process of implementing new Subject Access Request (SAR) and Data Portability procedures that enable us to more easily identify, move, and remove information (where required) more efficiently.
Sales and Marketing
A key concern for many businesses relates to their Sales and Marketing activity.
Having consulted GDPR specialists, leading businesses, and revisited the Data Protection Bill, we have reviewed our current processes to ensure we can gather and process the necessary data whilst also protecting the Data Subject.
We also plan to implement changes to our online contact forms, marketing processes and supplier reviews to ensure more focus is placed on the consent to market to individuals and providing a clear and easy path to “opt-out” of future communication for those contacts we have already established connections with.
This is still a highly debated area of GDPR which will require further consideration so we will be keeping this area under review going forward to ensure we are compliant with the most up-to-date interpretation.
Employee Training
To ensure compliance across the businesses, we have reviewed our training processes to make sure GDPR is a key point within our employee training – both on induction and throughout the term of employment.
GDPR training has been prepared for all employees handling Personal Data to help them better understand their obligations, and potential consequences of non-compliance.
Employee Data
As well as the data we handle as Processors, we are also Controllers of our employees’ data and therefore a full review of the processes relating to this has also been conducted.
There is still uncertainty as to whether existing retention guidance on HR records will prevail over GDPR’s Data Minimisation requirement. For the time being we have put in place processes to ensure only essential data is retained, duplicates destroyed and retention policies are in place.
