GDPR part 2: taking things seriously, what we've done to prepare
Following on from last weeks Fleet Industry Guide To GDPR this week we've decided to write about what we've done as a business to help prepare for the changes on the 25th May 2018.
1) Invested in a dedicated Data Protection Officer
Data is the heart of all our services, we make it our business to ensure we are ahead of the crowd when it comes to understanding data regulation and compliance, so we’ve employed a Data Protection Officer who informs and advises us about the obligations to comply with GDPR. Our DPO also monitors compliance and decides whether we need minor tweaks to our existing process or whether a new data protection strategy is needed.
Alongside this our Data Protection Officer has looked at and applied the 4 stage Discovery, Management, Protection and Reporting list to our operation and organised external PEN tests to our systems ensuring our customers’ data is secure. This is particularly important in our ever-growing data led industry.
As a business we’ve documented where all data is stored as well as all data processes, procedures, methods, frequency associated with personal data for all customers in our ‘Record of Processing activities’ and where we are a controller in our ‘Record of Controller processing activities’. We have assigned categories of processing to each and identified our customers data controller / data protection officer contact details so we can notify in a case of failure. Within this document we’ve identified the safeguards we’ve implemented to ensure we are compliant e.g the password and access controls, encryption, firewalls, Geo location blocking, web application filtering, use of white listing and blacking software, file backup etc.
We’ve also ensured we have the necessary policies in place to comply to the standards specified in the ISO 27001 and 27002. Where necessary we have generated and updated policies examples being: Information security documents, personal screening policy, password policy, access control policy, breach management, documentation control policy, data protection policy, communication security, data retention and erasure policy, HR etc.
3) Investment in infrastructure
The security, resilience and redundancy of our infrastructure underpins our services and capabilities. With the industry slowly requiring more from vehicle data to support the delivery of our services we invested over £500,000 into the business infrastructure enhancing our security, resilience and redundancy. Meaning our systems which we operate from are more secure, quick and capable than ever - ensuring we are in a healthy position and ready for the new legislation and digital age of ‘big data’ without impact.
4) Internal GDPR training to staff members
We are educating staff of the new legislation through our GDPR presentation that our DPO walks through with members.
As part of our training scheme all employees have to pass a formal GDPR questionnaire annually. The questionnaires is a key compliance to the operator being able to take calls.
5) Working with our customers
A critical part of our preparation is working alongside our customers’ teams, advising them on how current processes may need improving to ensure compliance in May. Most notable examples are new customers who currently send personal data through email or excel documents that aren't encrypted.
6) Seamless data syncs
Businesses in the fleet industry will have to make sure customer and prospect data remain safe and secure by having one central place for data storage. We’ve recently migrated all our data to one database. By doing so and merging our platforms data is stored all in one place meaning no risk of duplication, or storing historical data of drivers who no longer drive that vehicle.
7) Multi-level user permission
To better protect individual’s information, we’ve created multi-level user permissions for any type of software/ technology being used.
With only a few months to go it’s safe to say there’s a lot to do and not a lot of time. We have embraced the GDPR hopefully most of you will too.
For more information please call us 01202 628282.
Visit the website here, follow us on LinkedIn here or Twitter here.
DISCLAIMER: i247 Group is an outsourced fleet service partner providing driver support, fleet administration and online solutions to the leasing and fleet management industry. Whilst we have performed extensive research into the GDPR legislation and are happy to provide our working knowledge intended to help our clients to become better prepared we do not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own.