How Abavus is responding to GDPR
The GDPR (General Data Protection Regulation) is a pivotal piece of legislation that has been created to make more robust and consolidate data protection laws for people and businesses within the European Union. The laws will be active and enforceable on the 25th May 2018.
Abavus is fully committed to achieving full compliance with the GDPR in advance of 25th May 2018.
On this page you can find information covering the following areas:
- What is Abavus doing about the GDPR?
- What changes is Abavus putting in place to be GDPR compliant?
- What do the people and organisations that liaise with and work with Abavus need to do?
- How do I find out more detail on GDPR and what it is?
What is Abavus doing about GDPR?
The Abavus team started to plan for and put internal resources in to its response to the GDPR in May 2017. We did this because the secure and compliant management of the data we hold is central to our business and its sustainability. Beyond the need to be compliant we also felt it was important that we visibly demonstrated out commitment to the right to individual privacy.
To date, this is what we have completed towards GDPR compliance and a sequence of next steps that will ensure our continued adherence to the regulations:
- Complete comprehensive research into the areas of our product and our business that are affected by GDPR. We’ve paid for external advice to ensure we’re getting sound guidance – COMPLETE
- Identify and appoint a data protection officer – COMPLETE
- Speak to our customers, answer their GDPR questions and capture their feedback in relation to GDPR – ONGOING
- Carry out and document a data mapping exercise to identify areas for improvement and change in light of the GDPR – COMPLETE
- Complete the required changes and improvements to our internal processes and to our product based on the requirements – IN PROGRESS
- Stress test all of our changes to verify compliance with GDPR and to make sure that these changes actually work in practice – ONGOING
- Finish all of the required steps and then share details our full compliance – ONGOING
What changes are we making at Abavus to be GDPR compliant?
We are doing a wide range of things across the business to make certain that we will be ready in advance of the GDPR deadline.
On the basis of the research we have completed and the outside advice we have invested in we are confident that our plan of action will meet the requirements of GDPR
We will continue to communicate the detail of the updates and changes in a timely fashion. Our commitment to reviewing and updating our data protection, privacy and GDPR policies does not end on 25th May 2018, when the new regulations kick in, this is an ongoing undertaking.
Whilst we are making changes to and improving our internal processes as they relate to our use of data for marketing and speaking with our direct clients, we are also making changes to the My Council Services platform.
With our partners and colleagues as iTouch Vision, we have created and deployed interfaces that will allow councils to address requests from customers relating to their rights for accessing and erasing any personal data that might held in the My Council Services platforms.
In addition, we have designed and created functions that also enable a customer i.e. a resident or business that is a customer of a council, to request deletion of their registrations and account data. Importantly such erasure and deregistration requests will be subordinate to councils’ own data retention policies. For example a customer may request to be de-registered yet the council may still have the legal right to retain their data for the purpose of debt collection or some other form of mandated record keeping. In such a situation each council’s configured data retention policy would prevail.
There are more details regarding how My Council Services can help councils ensure GDPR compliance in this document.
What do Abavus customers need to do?
The guidance that follows is not exhaustive, it provides some initial suggestions of actions that your Council may need to take. This does not constitute legal advice and you should take specialist legal advice should you require it.
I’m not familiar with the GDPR and would like more details on what it is:
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.
GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of personal data is very broad and covers any information relating to an identified or identifiable individual.
It gives individuals more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also increases the risks associated with non compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
To follow are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organisations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organisations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected individuals. The GDPR also places additional security requirements on organisations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organisations engaged in profiling or monitoring behaviour of EU individuals.
- Increased Enforcement: Under the GDPR, authorities can fine organisations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
There is much more information about GDPR and its implications on the website of the Information Commissioner’s Office.