We take our responsibilities under the GDPR seriously and welcome it as an important step in streamlining data protection across the EU. We have embarked on a programme to identify which measures we need to implement to be compliant with the GDPR and are working to implement them in time for May this year. Here is a summary of what we’ve done so far:
- We conducted a data-mapping exercise that tracks personal data flows throughout our systems.
- We underwent an external readiness assessment with a leading security consultancy to find any gaps.
- We created an internal roadmap based on the gap assessment to work towards compliance with the GDPR by 25 May 2018.
- We have done an internal training programme so that employees are aware of what the GDPR requires.
- We’re updating procedures to deal with some key data subject rights, like subject access requests and the right to request deletion.
- We're reviewing our key third-party sub-processor arrangements to make sure we have the appropriate contractual protections in place to satisfy the GDPR requirements.
Some of the key items we will be working on over the coming months are:
- Integrating privacy by design into system and product development, including through the creation and implementation of data protection impact assessments.
- Updating our external- and internal-facing policies to be compliant and publishing those policies ahead of the GDPR effective date.
- Developing a compliant data retention policy.
- Updating our existing data breach procedures.
- Finalising our data maps and data-processing records.
The GDPR will come into effect on 25 May but businesses will need to continue monitoring and adapting their data protection policies and technology to remain compliant beyond this date, as such Poq will conduct regular reviews of our data protection policies and technology accordingly.