With the European General Data Protection Regulation (GDPR) only months away, you may have some questions about what Graydon is doing to prepare for this important Regulation. Below, we have provided answers to questions that we think you may have. We will be updating this regularly, so please check thispage for the latest information.
Graydon is a trusted partner to its customers and stakeholders and wants to maintain its outstanding reputation in both its domestic and international markets. Therefore, compliance with the latest data protection legislation is essential to our business. In 2016 an assessment was performed by EY to assess the level of compliance against existing laws and regulations, which showed that within Graydon, currently privacy is a topic that is well organised and managed.
We have assessed the potential impact of GDPR on our business and identified the changes that are required across multiple functions to ensure compliance with the increased requirements resulting from the GDPR. A multidisciplinary and group-wide project team has been established across the Graydon Group to work towards GDPR compliance before May 2018. A GDPR implementation project plan with key milestones has been drafted. The project is under way and is now in implementation phase.
Our Board of Directors and Executive Committee or the Graydon Group are fully engaged with our GDPR project, which is driven and overseen by our Group Compliance Officer.
The products and services that you purchase and receive from Graydon are being reviewed from a GDPR compliance perspective in order to identify what, if any, changes need to be implemented prior to May 2018.
At the same time, we aim to ensure that our customer contracts reflect the new GDPR where required. We will also take this opportunity to simplify and standardise our contracts and T & C's.
We are reviewing our privacy statements and will be updating our notifications across the Group to ensure data subjects are informed in accordance with the transparency requirements under GDPR.
With GDPR on the way, we aim to ensure that our teams are all equipped to deal with data subject requests. In addition, we are updating and implementing our policies and procedures and simplifying the way in which data subjects can exercise their rights with Graydon.
Graydon already has robust processes and procedures in place to manage compliance under existing data protection legislation. As part of our GDPR project, we will carefully review our current processes and procedures to identify where they need revising to ensure compliance with GDPR. These will include amongst others:
The impact of GDPR will be considered at the design stage of all new products or enhancements to existing products and any requirements incorporated into the design.
As part of the GDPR project, Graydon is putting together a data inventory containing a comprehensive overview of all data that is processed: by whom, where and for what purpose.
We are in the process of reviewing existing supplier contracts and, where necessary, these contracts will be amended to ensure compliance with the GDPR. Graydon aims to ensure that any new supplier contracts will adhere to GDPR.
Graydon will aim to ensure compliance with the requirements under GDPR for international data transfer. As part of the GDPR project, we will be reviewing our current policy and practice and will update where necessary.
Graydon considers privacy and confidentiality of personal data of upmost importance. Graydon therefore aims to ensure, that appropriate technical and organisational measures are in place to protect personal data against loss, abuse and any form of unlawful processing. This will be further clarified in an overall security policy, coupled with an effective and robust control framework in line with industry standards.
The security of all data (including personal data) that we hold is of utmost importance to us. Graydon will implement data security measures, processes and procedures to ensure that, in the event of a breach, it will be detected, investigated and managed efficiently across the Group.
Privacy Impact Assessments have, for a number of years, been promoted by the data protection authorities as good practice. As a responsible data company, Graydon will conduct Privacy Impact Assessments as part of the compliance approval process for any new initiatives or changes to existing products/services which are likely to have an impact on privacy. See also ‘Privacy by design/default’.
A DPO (Data Protection Officer) will be appointed by 25th May 2018.
Graydon aims to ensure personal data is stored no longer than necessary, taking into account the nature and purpose for which it was collected and any associated statutory periods that may apply.
Whilst it is important to achieve compliance with GDPR by 25th May 2018, Graydon is committed to maintaining compliance from 25 May 2018 and beyond. The GDPR project is just a starting point for continuous compliance with GDPR.
This statement was last amended December 2017