What are we doing to ensure compliance?
At Alcumus, we are committed to protecting and respecting the privacy of individuals, and take our obligations under data protection legislation seriously. We already manage personal data in accordance with the industry standards for ISO 27001, PCI DSS, and in some locations, in accordance with the Cyber Essentials Certification. We understand and welcome the high standards that GDPR will promote and encourage across all organisations that process personal data on behalf of third parties.
In order to ensure our readiness for GDPR, we have in place a multidisciplinary project team which, informed by an external GDPR gap analysis assessment and specialist external advice, has the following key priorities:
• Modify and fine tune our existing management systems, processes and policies (including ISO 9001 and ISO 27001) to ensure that we are GDPR-compliant.
• Ensure that our employees and consultants are fully aware of the new obligations that GDPR will introduce, and ensure that there is accountability and shared responsibility for ensuring compliance, from Board level and throughout the Group.
• Provide a range of products and services to our customers to assist them in preparing for GDPR, including specific support to those who use our technological solutions (such as our specially configured data-capture software), to ensure that such solutions are compliant.
Our five business units process personal data on behalf of our 42,000 customers, from large global brands through to SME businesses. We understand the importance of good data practices to our customers, and are on hand to support our customers through their GDPR-readiness journeys. Some of the specific initiatives that we are currently progressing include:
• Data Review – An extensive review of all personal data we hold, as we prepare a detailed data roadmap which outlines where this data is held, why we hold it and for how long.
• Contractual Updates – A full-scale analysis of third parties who process data on our behalf, and updates to contractual positions to ensure that we (and our customers) are protected as best as is possible. In addition to this, we are updating our current business terms and conditions to give our customers the assurances required under GDPR.
• Process Updates – Updates to our existing procedures to ensure we have the tools to maintain compliance with GDPR. This includes the appointment of a new Data Protection Officer, and a review of our existing policies such as our data security and incident response plans.
• Improved Subject Access – Updates to our existing subject access request processes to ensure that it is easier and quicker for data subjects to exercise their rights.
• Review of consents – Review of our existing marketing practices, and associated consents, to ensure that these are transparent, fair and GDPR-ready.