Inprova Energy is keeping up-to-date with upcoming changes to data protection legislation and the introduction of GDPR in May 2018. The new data protection rules will encompass a wide range of personal data including our clients, suppliers and employees.
As data processors, we are aware of our obligations to remain compliant and to adapt our processes where we have identified a change needs to be implemented in line with upcoming GDPR changes.
To achieve this, we have put together a team of stakeholders across the business who will be working on behalf of their departments to ensure that processes are in place to manage and report on the requirements of the legislation whilst safeguarding personal data and system integrity.We will also be working closely with third parties to ensure that we are proactive in identifying and implementing the changes required. We are currently committing resources to:
- A detailed data audit to document how data is managed across departments and systems;
- Data Protection / GDPR Awareness Training for those of our staff with particular responsibility for data;
- Updating our Client Agreements and Data/Privacy Policies as appropriate.
- Increase rights given to individuals: We will be developing a process that allows for information to be provided in a shorter timescale when individuals request access to their data.
- Compulsory notification of data breaches: Data breaches which impact on privacy will have to be notified to the ICO and individuals affected within 72 hours of the breach. We will be putting an action plan in place to deal with this should it happen.
- Transparency: Fair Processing Notices and Privacy Policies are being reviewed and we expect these will need to be updated. We will be working with our clients to share any updates that may affect them.
- Consent: We understand that it will be more onerous to obtain and maintain consent for marketing communications under the GDPR. We will be looking at the consents required from individuals and will work with our employees, clients and third parties to achieve this.
- Right to be Forgotten: We will take steps to understand the scope (which is limited) and to adopt our agreed response to these requests.