In August 2017 we published information on how Expolink is preparing for GDPR. With the May deadline drawing ever closer, this article provides an update on our journey toward full compliance with the new regulations.

Overall summary

Our dedicated GDPR project team has made significant headway over the past nine months to ensure:

  • colleagues from all departments are aware of the upcoming changes
  • processes are reviewed to not only be compliant, but also more efficient

Since our last update, the UK Parliament has also begun its review of the Data Protection Bill, which will enshrine the GDPR into UK law.

Whilst the Bill has yet to achieve ascension, it has provided a significant indication of how the UK will interpret GDPR’s more ambiguous provisions. This has allowed us to begin tailoring our approach accordingly.

Project Progression

Our role as a Data Processor under GDPR means that we have greater responsibilities for our own actions, whilst remaining subject to the instructions of our Data Controllers (clients).

We have continued to review our all aspects of our business and engage all departments by explaining the changes being made, the reasoning behind them and the responsibilities of every colleague in enforcing them.

Data Mapping

Having completed our Data Mapping exercise last year, we have identified the “Data Journey” of all Data held by Expolink, the key areas for review going forward, and new policies that we will need to implement to make sure this information is kept up-to-date.

How we tackled the Data Mapping process

We are committed to reviewing our existing mapping annually, with continued input from all Departments.

This will ensure we can always readily identify the “Data Journey” of all Data held by the Company, and make our processes for Subject Access Requests and Potential Breach Notification as efficient as possible.

Our Supplier Management Procedure has been updated to ensure full Data Protection Impact Assessments (DPIA) are conducted, where required, when introducing a new supplier that handles any personal Data on our behalf.

This, combined with the requirement to conduct DPIAs for significant process changes across the business, should ensure our mapping is maintained to a high standard.

Data Protection Impact Assessments (DPIA)

We now include DPIA’s and Data Protection Risks in our monthly quality management meetings to ensure we are constantly reviewing and mitigating any potential risks posed to the Data we hold.

Policy Reviews

GDPR affects all aspects of our business so we have had to review several internal policies to include the new GDPR requirements.

New or amended policies are made available to all staff via our intranet and new training is implemented where necessary.

Data Protection Officer

Under the advisement of external GDPR consultants we have determined that we do not need to appoint an external Data Protection Officer at this time.  Instead, a strengthened internal team has been assigned responsibility for managing all data protection queries.

Call Handler Script

With consent being a major requirement of GDPR, we have had to review our call handler scripts to ensure the Data Subject is fully informed about how their data is handled.

This approach has been applied across all our reporting platforms to ensure that, no matter how a reporter wishes to make a report, they are fully informed about how that report (and the Data within it) is processed.

Data Processing Agreements

New Data Processing Agreements have been drafted and are now required as standard for all new clients. Existing clients have been sent new agreements.

This agreement incorporates our obligations under GDPR into our contracts whilst also reflecting the unique nature of the service we provide.

Subject Access Requests and Data Portability

With our Data Mapping exercise complete we’ve been able to begin implementing a new Subject Access Request (SAR) procedure.

The Data Mapping provides an ideal resource for completing SARs because it details where all data is stored. This simplifies the process of identifying, moving, and removing information, where required.

Sales and Marketing

One of the major concerns about GDPR is the potential effect on current marketing practices.  Having considered the Data Protection Bill, and spoken to various GDPR specialists and industry leading businesses, we have reviewed our current processes to ensure a balance between processing the necessary data and protecting the Data Subject.

Changes to our online contact forms, marketing processes and supplier reviews mean we are placing more focus on the consent to market to specific individuals and equally, provide a clear and easy path for existing connections wishing to ‘opt-out’.

This is still a highly debated area of GDPR which will require more guidance, whether from the ICO, Data Protection Bill, or Case Law, so we will be keeping this area under review going forward to ensure we are compliant with the most up-to-date interpretation.

Ongoing activity

While the 25th May marks the end of a long period of preparation, it’s important to remember that compliance with GDPR is ongoing. Indeed, certain ambiguities are likely to remain so until tested in a court of law.

We’ll publish further updates as required in the months ahead, as the landscape becomes clearer and regulations are written into law across EU member states.