The General Data Protection Regulation (GDPR) comes into effect across the European Union on 25th May 2018. The GDPR has been designed to meet the requirements of the digital age based on privacy by design and taking a risk-based approach.
The broader use of technology brings with it new definitions of what constitutes personal information and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
At Optimal Workshop, we’re committed to ensuring the security and protection of the personal information that we process and to provide a compliant and consistent approach to privacy. We have always had a robust and effective privacy program in place. However, we recognize our obligations in updating and expanding this program to meet the demands of the GDPR.
We’re dedicated to safeguarding the personal information we manage and in developing a privacy roadmap that’s effective, fit for purpose and demonstrates an understanding of and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance are detailed further below.
How we are preparing for the GDPR
We already have a consistent level of data protection and security across the company, however, we’re updating and expanding this work to prepare for the GDPR.
Our preparation includes: -
- Appointing a Data Protection Officer (DPO) and registering with the Irish Data Protection Commissioner – if you wish to contact our DPO please email firstname.lastname@example.org.
- Information audit — carrying out an information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed, and if and who it is disclosed to.
- Policies and procedures — updating our policies and procedures to meet the requirements and standards of the GDPR including policies relating to:
- Data retention
- Data erasure
- Breach management
- International data transfers
- Third party selection and management
- Customer access requests
- Legal basis for processing — we’re reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to.
- Terms and Conditions — we’re updating our terms and conditions to provide more detail to customers and also to introduce a minimum age. We have also introduced a schedule regarding data processing activities.
- Enterprise Agreement — we’re developing a standard enterprise agreement for our larger customers. In the meantime, we have a Data Processing Agreement available upon request.
- Privacy Notice — we're revising our privacy notices to comply with the GDPR, ensuring that you have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect your information.
- Obtaining consent — we’re revising our consent mechanisms for obtaining personal data, ensuring that you understand what you’re providing, why and how we use it and giving clear, defined ways to consent to us processing your information.
- Direct marketing — we’re revising the wording and processes for direct marketing, including clear opt-in mechanisms for marketing email subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
- Data Protection Impact Assessments (DPIAs) — we’re completing DPIAs for high-risk processes that allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to individuals.
- Processor agreements — where we use any third-party to process personal information on our behalf (for example hosting, SaaS providers etc.), we’re drafting compliant Processor Agreements and implementing due diligence procedures for ensuring that they meet and understand their/our GDPR obligations.
Data subject rights
In addition to the policies and procedures mentioned above that ensure you can enforce your privacy rights, we are developing easy to access information about how you can enact your rights.
Information security, technical and organizational measures
We take the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have an ongoing security program in place to ensure we continue to follow best practice guidance.
Optimal Workshop has designated a Data Protection Officer (DPO) and has appointed a Data Privacy team to develop and implement our roadmap for complying with the GDPR. The team is responsible for promoting awareness of the GDPR across the company, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.
Every person in the Optimal Workshop team has been involved in our GDPR preparation plans, and we’re making sure there's continuous awareness and understanding across our workplace.
If you have any questions about our preparation for the GDPR, you can reach out to our DPO on email@example.com