DPA and GDPR compliance
In the late Spring of 2016, the new EU General Data Protection Regulation (GDPR) was finalised and approved; EU members now have until May 2018 to ensure that they are fully compliant. Regardless of Brexit, organisations in the UK that collect and use personal data will need to comply with the new regulation.
Much of the new regulation matches the good practice and legal requirements already established in the Data Protection Act (the Act); however, there are some changes, for example:
Not all of the requirements of GDPR will apply to every organisation – and, doubtless, not every breach will be penalised – however, the law is real and in place now and there is every likelihood that there will be increased scrutiny of organisations in the not for profit sector.
Getting compliant involves more than making sure your information systems can cope. You need to think about business processes, policies and procedures, roles, responsibilities and training. Putting the necessary systems and structures in place takes time and expertise.
Our consultants are specialists in the field of information security and can guide you through an assessment of your current systems through to implementation of sustainable improvements that are appropriate, achievable and compliant.
We can adapt our approach to suit your circumstances and culture. Typically, though, our approach comprises:
We discuss your overall approach to information security, identify the range of policies and controls you have in place to protect your data and agree with you a programme of compliance testing for stage two.
We interview a selection of staff, and trustees and volunteers if appropriate, to access the extent to which policies are understood and being adhered to, and the effectiveness of other controls. In this stage, we also carry out testing of the IT-specific controls.
We document our findings and recommendations in a report which:
- Summarises our assessment of your current arrangements for data protection
- Identifies any areas of non-conformance with the Data Protection Act
- Sets out our recommended actions needed to improve conformance, and resilience of the systems and processes involved.
Our approach ensures that you benefit from our knowledge and experience of information security management and are confident that the key risk areas are considered. We work exclusively with charities and not-for-profits and understand the business environment in which you operate and best practice across the sector.