The purpose of this document is to outline what Universal Media is doing in preparation for the introduction of the General Data Protection Regulations (GDPR) on the 25th of May 2018, and to provide assurance to both clients and suppliers that we have a robust approach to the GDPR in place and are confident of compliance when the regulations come into force.
Below is an outline of how we have set about ensuring our data protection processes, compliance obligations, and security measures meet the requirements of the GDPR. The approach we have adopted is one that is considered best practice for ensuring full compliance.
Universal Media as a company holds a lot of different information in different contexts, as with most companies, we also hold information for operational purposes such as contact information and information about our employees.
Therefore it is important for us in the first instance to identify all of these ‘pots’ of data to ensure that we understand fully:
-in what context we hold the personal information (ie. as a data controller or data processor)
-how we hold the information (eg. in what format or where it is stored)
-the legal purpose for which we are relying upon (Schedule 1 of the Data Protection Act and Article 6 of the GDPR)
-in the case where we establish the legal basis is consent, whether we hold the necessary consent
-how long we intend to hold the personal data for
-what processing activities relate to the personal data
-whether the data is shared with other parties or sourced from another party
Establishing the legal basis and compliance
From each set of personal data identified in our data mapping exercise we have been formulating a set of actions to ensure that our obligations in whichever context (data controller or data processor) are met.
As a data controller
In general, where we have identified that we hold a particular set of personal information in the context of a data controller, we have:
-Reviewed the data held against the six key principles of the GDPR.
-Reviewed the security measures currently in place to protect the data.
-Amended existing privacy notices in place to ensure that they meet the new requirements under the GDPR.
-Reviewed our subject access request process and made amendments where necessary.
-Ensured that data subject rights have been accounted for in the way we handle and store data.
-Where we have had to rely on consent, ensured that we have the necessary processes in place to make sure that data subject rights associated with consent are able to be facilitated. For example, the right to be forgotten (erasure) and data portability. Although noting that these rights are qualified and not absolute rights (eg. where we need to retain certain information for legal reasons we are able to despite a request for erasure).
Data held by Universal Media in the context of data controller
For the sake of brevity, the following list is not exhaustive. But it is intended to demonstrate that we have taken a comprehensive look at all the personal data we hold. Data includes:
-Excel and Google lists of companies
-Excel and Google drive lists of contacts within those companies
-CRM records identifying an individual at a company or a client that is an individual
-Spreadsheets, documents and emails that contain information identifying an individual
-Personal employee information such as mobile telephone numbers, personal email addresses
-CVs collected and held as part of recruitment activities
-Possible backups of the above information
As a data processor
In order to ensure we are compliant in how we process the data we hold we have
-Reviewed the security measures currently in place to protect the data
-Reviewed our data handling procedures and training
-Reviewed our subject access request process and made amendments where necessary to ensure that when requests are made for client data that we have the appropriate contact information to forward on the request
-Reviewed the necessary requirements for systems to include the appropriate privacy statements written by clients.
-Put measures in place so that we understand the retention periods that clients have in place for their data (as stated in their privacy notice) and have procedures in place to remove data upon written instructions by our clients.
As an organisation we don’t provide in-depth details for our security infrastructure, since this would compromise the measures that we have in place. In general we have the following in place to protect the personal data that we hold:
-Firewalls that are in a redundant configuration so that the networks are protected continually
-Active monitoring of potential threats through Intrusion Prevention Systems, for which threat information is sent directly to the responsible personnel.
-Antivirus and Antimalware protection running on all the servers and computers within the network