What is GDPR?
General Data Protection Regulation (GDPR) is egulation that came into force on 25 May 2018 which will supercede the existing Data Protection Act 1998. It is designed to unify data protection rules across Europe, including the UK, giving individuals greater control and transparency over how their personal data is used.
GDPR uses the existing Data Protection Act 1998 (DPA) as a framework along with new duties that organisations will need to consider. There are many aspects in the Data Protection Act which are ‘best practice’ and so are not mandatory. The new duties are:
- Duty to report data breaches
- Right for the individual to access data
- Fair processing notice
- Right for rectification
- Right for the individual to be forgotten
- Portability of data
- Privacy by Design
- Definition of a new role, Data Protection Officers, to manage GDPR compliance within your organisation
To ensure compliance, the penalties are going to be far greater than the existing DPA penalties. The fines could be up to £10m or 2% of annual turnover whichever is higher or up to £20m or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. This is dependent on the type of infringement that occurred.
FastTrack takes GDPR compliance seriously and have committed to ensure FastTrack360 is compliant with the act. FastTrack has conducted a review of our hosting partner, business procedures and application stack to ensure we are compliant (as Data Processor) and support our customers (Data Controllers) with policies, procedures and a product strategy that has met the 6 GDPR principles.
Your privacy is important to us, and so is being transparent about how we collect, use and share information about you.
Policies & Procedures
We have also updated our policies and procedures including:
- Processing and accessibility of personal data
Our application is hosted on the Amazon (AWS) cloud within the United Kingdom. Amazon has welcomed GDPR as it is a firm believer in data security and protection. Amazon has confirmed that all AWS services comply with GDPR and details of their commitment can be found at https://aws.amazon.com/compliance/eu-data-protection/
A full technical review has been undertaken of the FastTrack360 solution. The outcome of this review has identified a number of areas that have been addressed in our UK product to ensure the new duties are met. This includes:
Right to be forgotten
- FastTrack360 provide the ability to purge data either for a individual or multiple records.
- Future dated purge requests so that organisations can retain data for the HMRC retention period
- An audit of the request and reason for a denial for the right to be forgotten
- Ability for users to identify where data has been sent to third parties via FastTrack360 to notify them of the request to be forgotten
- An online portal is available for individuals to access the data held. This provides the ability to not just review data but to also opt out from communications for example, email, SMS, mail as required.
- Our report designer is available for customers to design an output of an individual’s data for data portability and for data to be given to staff
Privacy by Design
- Sensitive data that is generated in output files will be password protected
- Sensitive data only accessible by authorised personnel
Right to be informed
- Links will be added to all external facing components, for example; Portal login, Mobile Timesheets, Application Forms, etc. to enable customers to provide their candidates with information on their policy of fair processing