This document sets out the initial steps that Global Lingo is taking to ensure the Company complies with General Data Protection Regulation (GDPR).
The GDPR requires all businesses to demonstrate they are processing data legally and protecting the rights of individuals regarding the personal data held.
Understanding what data the Company holds and uses across the business will help us comply with the new regulations. For this reason, a full data audit is being carried out internally. As part of this audit, we are in the process of:
- Identifying the personal and sensitive data the Company holds.
- Documenting where the data is stored, how the data is used and with whom the data is shared.
- Establishing from where the data came from and identifying the legal basis for holding and processing it.
- Determining whether the data has been stored outside the Company’s agreed retention period and considering whether we need to continue to hold that data.
We are reviewing relevant security measures to ensure systems are robust and personal data is safeguarded. This will help the Company identify any potential risks of non-compliance or any weaknesses in our data storage and handling systems.
We have continued to upgrade cyber security systems over the last few years irrespective of GDPR. The Company is working towards implementing ISO 27001.
The ISO 27001 provides a starting point for achieving the technical and operational requirements necessary to prevent a data breach under GDPR. This requires an independent review of company procedures before certification is given.
Global Lingo will be using a consultant to help achieve the necessary accreditation.
Global Lingo will be engaging extensively with suppliers with whom we share data.
We will also be identifying any arrangements where it will be necessary to have data sharing agreements and contracts in place with third party processors which set out respective responsibilities under GDPR.
Data Protection Officer
Although not mandatory, it is widely accepted that having a Data Protection Officer (DPO) increases the status attached to and priority given by staff to data protection within organisations. At present, the management of our data protection procedures and policies falls under the responsibility of the Senior Management Team at Global Lingo, and we are considering appointing an internal Data Protection Officer.
Reporting a Data Breach
Global Lingo is registered with the Information Commissioners Office and we have clear policies in place for reporting a data breach. Our instructions to employees are that if any employee becomes aware of a data breach, it should be reported to the CEO immediately.
Legal Basis for Processing Data
It is important that all businesses identify the legal basis for processioning data and document it. We are considering the most appropriate way to achieve this – either by consent or as required for performance of a contract.
We anticipate that a new engagement letter or an addendum to our existing letter will need to be issued to all clients ahead of the GDPR enforcement date.
Data controllers are required to continue to provide transparent information to data subjects. The Company will be reviewing privacy notices to ensure they are in line with GDPR and are in clear and plain language.
The information to be provided must be more comprehensible and inform the data subject of their rights and the period for which data will be stored.
Data Subject Rights
We will ensure that procedures are in place to deal with individuals’ enhanced rights under GDPR, such as the right to data portability and the right to erasure.
Data subjects now have the right to have data transferred to a third party service provider in machine readable format and we are implementing policies to facilitate this.
All employees are being made aware of the new data protection regulations and the implications of non-compliance.