The General Data Protection Regulation (GDPR)
Imperial and GDPR
The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and, for the parking and traffic management sector, its importance must not be underestimated. The new regulations impose far-reaching obligations and responsibilities on any organisation handling and processing personal data to ensure they plug any potential security loopholes, know why they are collecting data and have stringent disciplines to ensure secure storage and processing of data. Enforcement of the most significant data protection legislation for more than two decades will be more stringent than ever before and there will be severe financial penalties for non-compliance.
Imperial has always maintained an unwavering commitment to effective data protection, management and security. Building on our ISO 9001 Quality Assurance certification and compliance with the current Data Protection Act, we took early steps to prepare for the introduction of the new GDPR legislation. This included the appointment of a dedicated Data Protection Officer early in 2017 and an exhaustive audit of our products, policies, processes and procedures. We have also secured Cyber Essentials Certification and are registered with the Cyber Security Information Sharing Partnership (CISP) through the National Cyber Security Centre.
As a data processor, it’s just as important for us to meet the contractual provisions and obligations that will now be required for all the work we undertake on behalf of clients – the ‘data controllers’. As well as ensuring our own operations are fully compliant with the new regulations, Imperial has taken a leading role in supporting and working closely with clients and partners to reflect the shared responsibilities and help ensure all parties meet their GDPR obligations. This has included dedicated training sessions led by an experienced Commercial Solicitor, to provide clients with insight and support during the transition to GDPR. One-to-one client briefings have also demonstrated the painstaking work we have undertaken to meet the more stringent data protection standards.
We are confident our thorough and proactive approach in preparing for the new GDPR legislation has covered all eventualities to meet both the spirit as well as the letter of the new regulations:
- Comprehensive review of all systems, products, processes and procedures, with additional or enhanced disciplines and features introduced as required for GDPR compliance. In terms of infrastructure, this covers not only our own servers, networks and PCs, but also the servers where we are providing a hosted solution for clients.
- Detailed review of the different types of data and full Data Protection Impact Analysis of consent management procedures and all personal information stored and processed by the company.
- Definitive controls for all data handled by the company as well as the progression paths, lawful justification and responsibilities for all data processing and all data storage and disposal procedures.
- Clearly defined management accountability and reporting disciplines at all times and in all areas.
- Reassurance that all administrative procedures ensure personal and transactional data can be easily located and readily anonymised or erased in response to requests to delete, rectify, transfer, access or restrict the processing of data.
- An unwavering commitment to follow regular updates and guidance given by the Information Commissioner’s Office and the National Cyber Security Centre.
- Full Risk Management and Data Protection Impact Assessments prior to the commencement of any project and the adoption of any new technologies.
- Software functionality to deliver data minimisation, secure data disposal, data recovery and data processing restrictions, as well as the ability to monitor and report on GDPR compliance.
- Hardware data security protocols from full disk encryption, patch management and password management to user security permissions and removable media.