DPA and GDPR compliance
Both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into force on 25 May 2018. Alongside this new legislation, the older Privacy and Electronic Communications Regulation (PECR) of 2013 is still in force though it is expected to be replaced by new European ePrivacy legislation in early 2019.
Much of the new regulation matches the good practice and legal requirements already established in the Data Protection Act 1998 (DPA 1998); however, there are some changes, for example:
Not all of the requirements of GDPR will apply to every organisation – and, doubtless, not every breach will be penalised – however, the DPA 2018 exists and every likelihood is that there will be increased scrutiny of organisations in the not for profit sector.
Getting (and staying) compliant involves more than making sure your information systems can cope. You need to think about business processes, policies and procedures, roles, responsibilities and training. Putting the necessary systems and structures in place takes time and expertise.
Our consultants are specialists in the field of data protection and information security and can guide you through an assessment of your current policies, systems and processes through to the implementation of sustainable improvements that are appropriate and achievable as compliant.
We can adapt our approach to suit your circumstances and culture. Typically, our approach comprises:
We discuss your overall approach to data protection, identify the range of policies and controls you have in place to manage and protect your data and agree with you a programme of compliance testing for stage two.
We interview a selection of staff, and trustees and volunteers if appropriate, to access the extent to which policies are understood and being adhered to, and the effectiveness of other controls. In this stage, we also carry out testing of the IT-specific controls.
We document our findings and recommendations in a report which:
- Summarises our assessment of your current arrangements for data protection
- Identifies any areas of non-conformance with current legislation
- Sets out our recommended actions to improve conformance, and resilience of the systems and processes involved.
Our approach ensures that you benefit from our knowledge and experience of data protection and are confident that the key risk areas are considered. We work exclusively with charities and not-for-profits and understand the business environment in which you operate and best practice across the sector.