PEN International already adheres strictly to the Data Protection Act (DPA). We are now working towards full adherence to the new General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
The GDPR will replace the current DPA governing the processing of personal data by companies. The GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). The GDPR affects all organisations that use and process personal information, including outside the EU. PEN is working hard to ensure that it is fully compliant to the new changes and will be documenting the progress along the way through our GDPR statement.
A lot of the concepts and principles will remain the same as those stated in the Data Protection Act, but with more emphasis on accountability and how businesses are demonstrating compliance. GDPR still applies to ‘personal data’ but there is a lot more detail included. An example of your personal data would be the IP address of a device which indicates the location of the device.
The GDPR applies to both electronic systems storing and holding personal data and to manual filing systems where personal data is accessible. This is wider than the scope of the Data Protection Act and includes chronologically ordered sets of manual record containing personal data.
Among others, PEN International will need to be able to prove that we have permission from individuals who live in the EU to send them communications by email and text message. This excludes communications by post. This will include data collected through informed consent on both paper and digital forms. Under the GDPR, organisations are allowed to contact individuals by post without asking for their consent.
The GDPR refers to sensitive data as "special categories" of personal data. These special categories mirror those included in the DPA with some minor changes: they specifically include date used to identify such as genetic and biometric data.
Unlike the DPA, which is governing the processing only, the GDPR applies to both controllers and processors of data. The definitions mostly remain the same with the controller saying how and why data is used and the processor acting on behalf of the controller.
At times PEN International acts as both the controller and the processor. Where we are the controller, we will document who is the processor and where we are the processor, we will document who is the controller.
Our software, a shared-drive containing PEN International's data is risk managed through the use of strong passwords that are changed periodically, permission groups and document control such as password and access protecting.
All our employees are required to complete online data protection training designed to promote acceptable use. This is reviewed annually or when any changes to legislation are made.
In order to achieve full compliance, we have:
- Set up a steering group and engaged a specialist consultant under the direction of the Board to oversee our compliance;
- Commenced a programme of data audits to ensure we fully adhere to the new regulations;
- Started to document fully how and why personal and sensitive data is used in the organisation;
- Undertaken a review of policies and procedures and are in the process of amending these to ensure they are compliant;
- Reviewed colleague training and are in the process of amending this and rolling out to relevant colleagues after the data audit;
- Reviewing software requirements and are working with our consultant to identified a more suitable system necessary to ensure compliance.
Emmanuel Asamoah (Finance, HR & Admin Director) and Pavlo Bilyk (Interim Data Officer) have been designated to take responsibility for the management of compliance, security breaches and data updates respectively.