Solutions > GDPR
The General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. It is EU legislation however it affects the UK and will be introduced despite Brexit.
The requirements are complex and onerous and it affects all organisations regardless of size or sector. They must comply or risk fines of up to 4% of annual global revenue, or €20m, whichever is higher. Organisations may also be open to class action lawsuits.
Under GDPR organisations will have to:
- Policies and procedures relating to data protection
- What types of personal data are processed and which ones are considered sensitive
- How personal data is collected (e.g. via a website)
- How it is stored (e.g. in a database)
- Which third parties the data is shared with
- Respond to a Subject Access Request (SAR) from an individual within a fixed deadline of 30 days
- Inform the regulator about any Breaches within 72 hours
Many organisations, even if they have a theoretical understanding of the requirements of GDPR, find it difficult to start the practical steps required for a successful GDPR compliance project.
GMA’s solution has a pre-built framework that will enable organisations to document information such as their data sources, data storage, privacy and security policies.
N.B. Screenshots are taken from GMA's demostration environment
The following sets out an example of some of the information an HR department would have to record:
- Data types that are processed - e.g. names, private addresses, bank details (sensitive), health data (sensitive).
- How the data is collected - e.g. via a ‘New Joiner’ form - and information such as whether consent is required and, if so, how it is captured.
- Where the data is stored - e.g. in an HR database or filing cabinets - and information such as security and backup procedures.
- Which third parties the data is shared with - e.g. a payroll company or health insurance provider - and information such as if the data is sent overseas.
- Procedures for responding to a SAR including retrieving, remediating or deleting personal data - e.g. stored in the HR database or shared with the payroll company.
The solution also has functionality for recording:
- SARs and the actions and timelines for responding
- Breaches and the actions and timelines for notifying the regulator and, where necessary, impacted individuals
The solution keeps a full audit trail of all changes made by users and does not allow users to delete any records. So in the event of an inspection, by the Information Commissioner's Office (ICO) or the industry regulator, e.g. the FCA, then organisations will be able to provide evidence that:
- Policies and procedures required by GDPR have been implemented
- That they have responded in a timely and effective manner to a SAR or Breach
The GDPR solution is a ‘plug-in’ for the Microsoft SharePoint collaboration platform (SharePoint) and would be deployed by GMA to a client’s environment. This could be in Office 365 or an on-premise SharePoint 2013 or 2016 environment.
NB - Older versions of SharePoint, including 2010 and 2007, are currently not supported.
Many clients are likely to want additional functionality such as:
- Integration with the client’s systems containing personal data
- Advanced search with AI capabilities to identify personal data
- Workflows such as tasks management and review
GMA can tailor additional functionality to each client’s specific requirements.
GDPR is complex and many organisations are unsure of where to start. GMA’s SharePoint-based ‘plug-in’ provides organisations with the tools needed to make the practical steps towards GDPR compliance by supplying a straightforward solution to a complex problem.
To learn more call us on +44 (0)20 3633 1030 or email us at email@example.com.