The General Data Protection Regulation (GDPR) is the most important piece of privacy legislation in over twenty years.
The previous Data Protection Act 1998 was a directive and enforced by the Information Commissioners Office (ICO). The GDPR is a regulation in Law extending the privacy rights granted to European citizens and placing many new obligations on organisations and is also overseen in the UK by the ICO.
Through regular review of existing practices and procedures, Ping continue to develop data and process compliance utilising our technical, staff and internal data management experience ensuring that increased Data Security requirements can be met. This document sets out our General Data Protection Regulation statement.
GENERAL DATA PROTECTION REGULATION (GDPR) STATEMENT
The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018, replacing the Data Protection Act 1998, and is now the regulation that governs the processing of Personal Data in the EEU.
Many of the GDPR’s main concepts and principles are much the same as those in the Data Protection Act but with new elements and enhancements and a greater emphasis on accountability and how organisations demonstrate their compliance. Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address – can now be considered as personal data.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes, e.g. the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions, again, are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. From a business perspective, and due to the wide range of services and products Ping offer and the relationships required to fulfil them, we can be a ‘controller’, ‘processor’ and in certain circumstances be both a ‘controller & processor’.
Ping have also identified the benefits of developing and incorporating a paperless work-flow. At this stage it has been introduced for one client process, however long-term plans will see this approach adopted for multiple schemes, offering not only an efficient service but also the benefits of audit transparency and GDPR integration.
Our investment in a technology-based infrastructure offers a level of control over risk and compliance processes. This is achieved via a variety of functionality that supports the principles of GDPR and is managed through Permission Groups and Document Control Types through to Issue and Audit Types, Password Control and Acknowledgements. This allows our systems to be adapted to specific users’ and their needs while at the same time and providing oversight of end to end data flows.
This software also provides thorough Audit Log options that allows the tracking of changes and effective version controlling.
In addition to the controls in place, reporting functionality throughout the system can provide information to support our GDPR requirements. User Accounts to the systems are controlled by customer determined System Administrators who have the ability to add, remove and edit user information.
All Ping staff are currently required to sign DPA statements when they join the company and the importance of handling personal and sensitive data is embedded in our culture. Customer’s data is only accessed on a needs basis for related processing purposes and this is all carried out in a strictly controlled manner that is line with the GDPR principals. From a customer’s data perspective (such as account information), all personal and sensitive data is held in systems with strict access controls by dedicated staff on a needs basis.
Our Compliance Manager has been designated as the Data Protection Officer and as such takes responsibility for data protection, compliance and management of all security breaches. As such, there continues to be a programme of on-going activities that ensure that we maintain our adherence to the General Data Protection Regulation.
These include but are not limited to:
- Staff Awareness and Training Programmes delivered electronically and in group sessions.
- Full Review and Gap Analysis of data held and how it is processed.
- Continuous programme of Audits.
- Full review of policies, processes and procedures to ensure they are GDPR compliant.