Purple Wifi Limited and the EU General Data Protection Regulation (GDPR)
GDPR becomes enforceable from 25th May 2018, and whilst many of its main concepts and principles are much the same as those in the current Data Protection Act (DPA), it also significantly raises the benchmark for data protection compliance. With just a few weeks until the GDPR is enforced, we want to take this opportunity to provide you with an update on the technical and organisational measures we have implemented to ensure that Purple is fully compliant with the new legislation.
Purple Wifi Limited, have always placed a high degree of importance on information security and we already comply with data protection laws of all the countries we operate in around the world. We are also ISO27001 and ISO9001 compliant and this compliance is audited annually by independent third-party consultants.
Over the past year we have taken the following steps to ensure our compliance with the GDPR:
Our Senior Management Team are fully aware of the new GDPR regulations and developments in data privacy law are regularly discussed to ensure we identify any new privacy requirements such as changes in the law or updated best practices.
We have appointed a Data Protection Officer who is suitably qualified and experienced in this area. Purple’s Data Protection Officer is Peter Blenkinsopp.
We have completed a full data audit of the all the data we collect, process and store and have identified where it comes from and who we share it with.
Throughout 2017 and 2018 we have been running staff awareness sessions to ensure all our staff understand the new law and what these changes mean to them. Data privacy and protection training will continue to be a key part of our compliance processes going forwards.
We have reviewed all our processes and procedures to ensure they comply with the key privacy principles of the GDPR i.e., Lawfulness, Purpose, Minimisation, Accuracy, Limitation, and Integrity & Confidentiality.
All of our legal bases for collecting personal data have been reviewed and where consent is required we ensure that data is collected in a manner that is compliant with the GDPR.
All of our customer and partner contracts have been updated to include the terms and conditions mandated by the GDPR. We also have agreed audit policies in place with all third-parties who process personal data on our behalf.
We have reviewed, updated and refreshed our data policies to ensure they comply with the GDPR.
Our policies have been updated to ensure that we can accurately identify when Data Protection Impact Assessments need to be completed. In addition, we have created templates and documents to support these activities when required.
Our existing policies and processes for dealing with consumer queries and subject access requests are already robust. However, the GDPR places greater obligations on controllers of data in this area. We have, therefore, updated and extended our policies to cover these new requirements.
We have reviewed and updated our data breach reporting policies to ensure that they are aligned with the new requirements of the GDPR and where required we can report breaches with the timescales prescribed.
We are confident that the changes we have implemented will ensure that Purple WiFi Limited complies with the new GDPR requirements when they become enforceable on the 25th May and beyond.