From 25th May 2018 the most significant change in data protection in decades will begin with the General Data Protection Regulation (GDPR). The data protection laws apply to all businesses that hold or process personal data (including sole traders) and aim to balance the rights of individuals with legitimate business needs. The intended purpose of the new laws can perhaps be best summarised by the UK Information Commissioner, Elizabeth Denham, who has gone on record to say, “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
How IRIS Have Been Preparing:
At IRIS we have actively been working on our GDPR strategy since June 2016, starting with the appointment of our Group Data Protection Officer. Since then, we have been conducting a huge internal project, beginning with new risk assessments for all of our products and services before moving onto our internal processes at organisational, divisional and departmental level.
Our Data Protection Guarantee
- An outcome of our data protection review is the corporate framework necessary to demonstrate to customers and prospective customers that we manage personal data responsibly and within a culture of privacy.
- We will ensure we continue to manage personal data in compliance with data protection laws applicable to data processors by keeping our processing activities under review.
- We endeavour to make our products suitable for our customers to achieve data protection compliance so that our customers have what they need by the time the new laws come into force.
- Any essential improvements we identify from our product gap analyses and risk assessments will be implemented within our products and services promptly.
- We have in place a critical incident reporting procedure to ensure that any breaches, if they were to occur, are assessed and notified to customers without undue delay to allow customers to meet the reporting timescales in the new law.
Notable Aspects of Our Preparations and Resources
Governance at IRIS
- In 2017 we set up an Information Security and Governance Forum that meets at least quarterly and includes members of our Executive team, the Chief Information Officer, the Group Head of IT and the Group Data Protection Officer.
- We also have divisional information governance groups containing key stakeholders from each department to steer reviews and improvements to our departmental policies and procedures.
Reviewing our documentation
- This includes reviewing our supplier and sub-processor contracts, as well as any customer-facing documents, to ensure they include all the necessary data protection requirements.
Company-wide protocols adopted
- We have a Group Data Protection Policy
- We have a Group summary of our Acceptable Use and Information Security Policies (this summarises the requirements of our more detailed Information Security Management System)
- Personal data incident reporting procedure.
- We actively carry out security checks on all staff on recruitment.
- Our Group policies are available to our customers on request via email@example.com
- IRIS has mandatory corporate training on data protection and information security for all staff. This is rolled out on staff induction and for existing staff each training session is refreshed at least once per year.
We are aware that the IRIS products and services may be integral to the processes that our customers implement in order to meet some of their own data protection obligations. Consequently we have identified the need to provide our customers with more information about how certain aspects of our software work. This will help customers (as data controllers) to identify how they are processing personal data and how it is shared with third parties such as HMRC and Companies House. We have, therefore, been producing guidance to assist our customers in this respect and to help their understanding of any non-obvious processes in order to incorporate this information into their own compliance plans. Please contact your account manager for more information about the specific IRIS products you are using.
Other useful links about our policies and data protection
Useful information about our products
Understanding the new Data Protection Laws
We would strongly recommend customers seek their own legal advice if they are unsure about the implications of the new data protection laws on their businesses.
The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. While we have made every effort to ensure that the information provided on this website is correct and up to date, IRIS makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. IRIS will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.