Data Protection law exists to balance the legitimate needs of government and other organisations to collect and use personal data for business purposes with the information privacy rights of individuals. In the UK the relevant legislation is currently the Data Protection Act (DPA) 1988 which will be replaced by the General Data Protection Regulation (GDPR) from 25th May 2018 (Source: YPO DP Policy & Guidance Part 1 Para 1.1)
YPO needs to collect and use certain types of information about people it deals with in order to pursue its legitimate business interests. These people include current, past and prospective customers, YPO’s own employees, suppliers and others with whom YPO conducts business. We regard the lawful and correct treatment of personal information as relevant to our core values, important to the achievement of our objectives and the success of our operations, and to maintaining the confidence of those we deal with. To this end we fully endorse and adhere to the principles of data protection. (Source: DP Policy & Guidance Part 2 Policy Statement signed by the MD)
YPO aims to promote effective data protection and to minimise information privacy risk by putting in place measures to enable us to:
• Comply with the law in respect of the personal data we hold about individuals
• Follow good practice including codes and guidance issued by the Information Commissioner’s Office (ICO)
• Protect our stakeholders, staff and other individuals; and
• Protect YPO from the consequences of an information security or privacy breach (Source: DP Policy & Guidance Part 2 Purpose & Scope of the Policy)
Q: What action are YPO taking to prepare for GDPR?
A YPO Board considered a report on the differences between the DPA and the GDPR back in February 2016 and started to put in place arrangements to ensure compliance by May 2018. In 2017 a GDPR Compliance Project was set up. Our preparations have focussed on four key areas:
• Ensuring that we have up to date policies, procedures and guidance in place that reflect data protection law and ICO best practice
• Carrying out data audits to identify and map all our personal data assets, its lawful use reason, consent and the update or deletion criteria.
• Looking at options to deliver the statutory Data Protection Officer (DPO) role
• Raising awareness and delivering training to staff, because everyone has a role to play in ensuring personal data is kept secure and processed fairly
Q: Does YPO provide training to staff on data protection?
A Yes – we currently provide all staff with relevant Data protection training in the form of mandated e-learning modules.
Further electronic training is scheduled and staff awareness notifications specifically regarding GDPR are being implemented from 5th March 2018 for a scheduled program of GDPR awareness and education around the business.
Q: What arrangements are there for keeping electronically stored data safe?
A YPO hold data in a number of business applications. These systems adhere to industry best practice in relation to access & control, protection, backup and recovery. Access is controlled via robust password and user right privileges and access settings and where appropriate data is encrypted. Access is restricted to YPO departments that need to use the data to perform their duties. The systems are not open externally but further password access including key code generation is used for authorised remote access by employees of YPO through a market leading virtual private network (VPN) solution.
YPO recently received the Cyber Essentials accreditation.
Q: What Policies and Procedures do YPO have in Place to protect personal Data?
A YPO has a number of policies in place including:
o Data Protection Policy & Guidance: this includes requirements for data sharing, subject access requests, employee information, and electronic marketing
o Information Security Incident Reporting & Response
o Privacy Impact Assessments
o Retention Policy
Please refer to our detailed data policy and procedures on our website for further information. https://www.ypo.co.uk/legal
Q: Do YPO have a written policy for data protection? And does it provide a procedure for data breaches?
A YPO has an up to date Data Protection Policy that helps us comply with the Data Protection Act and other guidance issued by the ICO. This will be updated to reflect GDPR from May 2018. YPO also has an “information Security Incident Reporting Procedure and Response Plan” that would be followed in the event of a data breach.
Q: Are YPO registered with any formal body regarding data protection?
A Yes YPO are registered with the Information Commissioners Office” (ICO) a link is provided here; https://ico.org.uk/
Q: What is the current position regarding YPO Framework Agreements?
A YPO are working towards compliance within all our framework contracts following CCS (Crown Commercial Service) guidance policy as issued and updated by CCS.
Q: Do YPO have insurance related to data breaches?
A YPO has recently taken out cyber insurance cover for the first time. The cover specifically includes support for dealing with data breaches. Relevant business information has been provided to the insurers to ensure we have an appropriate level of cover. We anticipate that this will meet our needs in the event of a data breach but as yet it is new and remains untested.
Q: How do I find out what personal data YPO holds on me?
A You can find out what personal data YPO holds about you by making a Subject Access Request (SAR). Anyone can make a SAR at any time. To be valid a SAR must be made in writing (email is acceptable) and we will need to take steps to ensure that you are that person before we can disclose any personal data.
You are only entitled to your own personal data and not information relating to other people. If you are acting on behalf of someone else, you will need to provide written consent from that person, and again we will need to take steps to ensure this before we can disclose any personal data.
You are not obliged to, but it would be very helpful to us when making a SAR, if you could advise us in what context you believe we might hold personal data about you, for example as a customer, supplier, employee or former employee. (Source: DP Guidance & Policy Appendix 4 SARS)