The EU General Data Protection Regulation ('GDPR') came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, GDPR has been designed to meet the requirements of the digital age.
GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.
Within this statement QA want to highlight to our customers the measures we have put in place to ensure compliance with GDPR where we process personal data on your behalf.
QA places high importance on information security. Within our group we already comply with a number of information security standards and QA has been certified to ISO27001:2013 since 2014. QA has also been certified to the CyberEssentials standard since the scheme's inception and currently holds CyberEssentials Plus certification. Compliance to these recognized standards has ensured that QA has a robust and wide ranging framework and extensive policies to manage the security and handling of personal and commercial data across our organisation and within our supply chain.
QA also ensures that the communication of Information Security, GDPR and other statutory requirements are covered through regular staff information security and data protection training and awareness campaigns.
QA is dedicated to safeguarding the personal information under our control and is committed to ensuring that we comply with GDPR to protect the personal information that we process, and to provide a compliant and consistent approach to information security and data protection while recognising our obligations within GDPR and the demands of the incoming UK Data Protection Bill.
Our preparation and objectives for GDPR compliance have been summarised in this statement and includes the development of existing and implementation of new policies, procedures, controls and measures to ensure ongoing compliance.
Our internal Information Security and Data Protection staff have worked with external consultants and legal counsel to ensure that we meet the requirements of GDPR across our business.
QA will comply with GDPR as a processor and controller of data, depending on the area and engagement, and has been planning and developing a programme of works which deliver the requirements of the legislation. This has mandated working with our suppliers and partner organisations to ensure that they can also meet these obligations.
Our preparation includes:
- Data Audit – we understand the data, how any why we process it, retention, and where required, DPIA
- Lawful Basis for Processing – reviewed activities and confirmed the lawful basis
- Information Security – confirm our technical and organisational controls are appropriate
- Cookies and Privacy Notices– we have reviewed and updated our polices
- Data Subjects Rights – we have reviewed our processes to ensure that the data subject’s rights are preserved including consent, subject access requests, right of erasure and correction
- Data Breaches – our incident management procedures have been enhanced to ensure we meet the reporting requirements
- Supplier Assessment – continue the process of supplier evaluation to confirm contractual and legal requirements are in place
If you have any questions surrounding QA’s GDPR compliance, please contact our DPO via email at firstname.lastname@example.org