Your inboxes are likely bursting with GDPR compliance emails, as marketing teams across Europe and the rest of the world rush to beat the May 25 deadline. It’s a date that’s been locked into the global calendar for a couple of years now – and one many businesses still haven’t taken notice of.
At Reddico, we’ve taken the legislation extremely seriously. For us, GDPR has presented an opportunity to get on top of data protection, create clear processes and procedures, and ensure our network of suppliers are fully compliant too. As a data controller and processor, your trust in us is really important.
So, what have we done over the last 12 months to make sure we comply with GDPR?
Our team is at the heart of everything we do. Our culture has been created to ensure people thrive, enjoy what they do, and are given the best possible environment to succeed. Their personal data is our responsibility to protect and safeguard.
- Data processing agreements: We’ve sent a data processing agreement to every third party who uses team data. That’s anyone from our payroll company to recruitment agencies.
- Employee contracts: We’ve updated our employee contracts to include GDPR clauses and information on how we process data, and who acts on our behalf.
- Consent forms: We asked for permission to process the personal data of our existing team, and for us to continue passing their data to third parties.
- Data protection policy: We’ve added a policy to our handbook, detailing why and how we process data.
- Recruitment: Our compliance continues to all interactions with potential, future employees at Reddico. Not only have we agreed compliance terms with our external recruiters, but added a tick box to our online form and implemented a deletion policy to ensure unsuccessful candidates are removed from all systems.
We have also ensured the extra security of data stored at Reddico by:
- Presenting a GDPR PowerPoint to the team, running through the various processes, including how Reddico has achieved compliance.
- Enrolling the whole team onto a two-step Gmail verification.
- Undertaking antivirus checks on employee laptops every three months.
- Initiating a change of password policy to team and shared accounts every three months.
There seems to be a lot of misunderstanding regarding what data is impacted by GDPR requirements. Many people are suggesting client or business data wouldn’t fall under this umbrella. However, some client data, such as names, email addresses and IPs would be identifiable to a specific person.
- Supplier agreement: We’ve sent supplier agreements to all parties working with client data to ensure they understand compliance and our expectations for the handling of data.
- Supplier contracts: New suppliers will sign an updated contract, which includes clauses around GDPR and compliance.
- Client contract: Our contract with clients has also been updated with GDPR clauses, specifying our compliance and how we handle data.
Our processes and policies highlighted below also cover client data and how we control and process this.
Policies and processes
As part of GDPR compliance, we have documented various processes for the event of access requests or data breaches. This includes:
- Rights: Under GDPR, there are eight principles tied to data subjects. This includes the right of access, rectification, objection and erasure – so we have created a strict process to ensure complying to all requests within the given timeframe. To exercise any of the principles, data subjects can complete the following form (https://reddico.co.uk/data-preferences/) or email firstname.lastname@example.org
- Data breach: Any breach of data must be acted on instantly. Staff have been trained on how to handle a data breach, and our documented policy identifies the steps we must take to ensure reporting and resolving an issue.
- Controller & processor forms: Reddico have completed and stored forms detailing what data is held on employees and clients, who has access to the data, and on which systems the data is stored.
- Data deletion: Our new data deletion process has been created to ensure data we no longer have reasonable need for, is removed from all systems controlled by Reddico and our suppliers.
General data protection improvements
Along with the policies and procedures updated to cover data protection for employees and clients, we have also covered the following areas:
- Appointed a Data Protection Officer, who can be contacted at email@example.com
- Registered with the ICO as a data controller
- Updated our business insurance to cover data protection and cyber security
- Created a policy to carry out data audits on an annual basis
- Written a blog post to list our compliance procedures
The last word
As a company, we’ve worked hard to ensure compliance as a trusted controller and processor of data – but it doesn’t end here. We’ll continually be looking to refine and improve our processes and operating systems in the future to be one step ahead. Data protection isn’t something that’ll disappear – it’s going to stay with all of us, for good.
If you have any questions about our policies or how we’ve gone about complying, please drop us an email at firstname.lastname@example.org
Our GDPR presentation
After reaching GDPR compliance for controlling and processing personal data, we presented to the team to raise awareness and provide further information on the processes created under the legislation. To ensure accuracy we used terms and phrases directly from the International Commissioner’s Office (ICO). If you need any help and support in ensuring compliance for your business, please visit their website directly: https://ico.org.uk/