What is GDPR?
General Data Protection Regulation (GDPR) is an EU regulation that comes into force on 25 May 2018 which will supercede the existing Data Protection Act 1998. It is designed to unify data protection rules across Europe, giving individuals greater control and transparency over how their personal data is used.
What are the new legal GDPR Duties?
GDPR uses the existing Data Protection Act 1998 (DPA) as a framework along with new duties that organisations will need to consider. There are many aspects in the Data Protection Act which are ‘best practice’ and so are not mandatory. The new duties are:
— Duty to report data breaches
— Right for the individual to access data
— Fair processing notice
— Right for rectification
— Right for the individual to be forgotten
— Portability of data
— Privacy by Design
— Definition of a new role, Data Protection Officers, to manage GDPR compliance within your organisation
What are the penalties?
To ensure compliance, the penalties are going to be far greater than the existing DPA penalties. The fines could be up to €10m or 2% of annual turnover whichever is higher or up to €20m or
4% of the company’s global annual turnover of the previous financial year, whichever is higher. This is dependent on the type of infringement that occurred.
What is FastTrack’s Strategy for GDPR Compliance?
FastTrack takes the new GDPR compliance changes seriously and are committed to ensuring that FastTrack360 is compliant with the act. To date we have conducted a review of our Hosting Partner, Business Procedures and Application Stack to ensure we can maintain compliance (as Data Processor) and support our customers (Data Controllers), via technology in meeting the
6 principles described by the GDPR.
Below is a summary of FastTrack’s GDPR strategy;
Our application is hosted on the Amazon (AWS) cloud within the United Kingdom. Amazon welcomes GDPR as it is a firm believer in data security and protection. Amazon confirms that all AWS services will comply with GDPR and details of their commitment can be found at https://aws.amazon.com/compliance/eu-data-protection/
A full technical review has been undertaken of the FastTrack360 solution. The outcome of this review has identified a number of areas that will be addressed in our UK product to ensure the new duties are met. This includes:
Right to be forgotten
— FastTrack360 will provide the ability to purge data either for a individual or multiple records.
— Future dated purge requests so that organisations can retain data for the HMRC retention period
— An audit of the request and reason for a denial for the right to be forgotten
— Ability for users to identify where data has been sent to third parties via FastTrack360 to notify them of the request to be forgotten
— An online portal is available for individuals to access the data held. This will provide the ability to not just review data but to also opt out from communications for example, email, SMS, mail as required.
— Our report designer is available for customers to design an output of an individual’s data for data portability and for data to be given to staff
Privacy by Design
— Sensitive data that is generated in output files will be password protected
— Sensitive data only accessible by authorised personnel
Right to be informed
— Links will be added to all external facing components, for example; Portal login, Mobile Timesheets, Application Forms, etc. to enable customers to provide their candidates with information on their policy of fair processing
FastTrack are currently undertaking the required steps to obtain ISO27001 certification. This certification is an internationally recognised standard for information security management, which helps ensure that sensitive information assets are secure and auditable. This certification is recognised as a standard that will aid significantly in meeting GDPR compliance as a data processor. FastTrack are committed to obtaining ISO 27001 accreditation by the time the GDPR act is active.