Back To Main Page
GDPR Compliance

General Data Protection Regulation Accountability

Many of the GDPR’s data protection principles are currently much the same as those in the current Data Protection Act (DPA). Therefore, our ongoing compliance for B2B Data remains valid under GDPR and has been an excellent base to build on in preparation for the forthcoming EU General Data Protection Regulation start date of 25 May 2018.

The new elements and enhancements being introduced for GDPR have been implemented by BDP Agency according to the steps listed below. The GDPR regulations can be viewed as a living document, with new guidance being introduced ongoing, BDP Agency have pledged to work closely with the ICO and initiate any changes as they are introduced.

The GDPR policy text places greater emphasis on the documentation that data controllers keep to demonstrate their accountability. Therefore, BDP Agency being a supplier of B2B Data will ensure that all data we supply to our clients meet the standards outlined below and that any changes that effect our clients licensing conditions are met.

We have outlined the steps below in our GDPR Summary document and confirm that the relevant sections to our B2B Data services have been met and are monitored on an ongoing basis to identify any changes between now and May 2018.

Step 1: Accountability and governance

1.1: Awareness
Decision makers and key people in your business are aware that the law is changing to the GDPR and appreciate the impact this is likely to have. Your business has identified areas that could cause compliance problems under the GDPR and has recorded these on the organisation’s risk register. Your business is raising awareness, across the organisation of the changes that are coming.

1.2: Accountability
Your business has set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff.

1.3: Information you hold
Your business has documented what personal data you hold, where that data came from and who it is shared with. Your business has planned to conduct a GDPR audit across the organisation to map data flows.

1.4: Data Protection by Design and Data Protection Impact Assessments
Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Your business understands when you must conduct a DPIA and has processes in place to action this. Your business has a DPIA framework which links to your existing risk management and project management processes.

1.5: Data Protection Officers
Your business has designated responsibility for data protection compliance to a suitable individual within the organisation. Your business supports the data protection lead through provision of appropriate training and reporting mechanisms to senior management.

Step 2: Key areas to consider

2.1: Lawful basis for processing personal data
Your business has reviewed the various types of processing you carry out. You have identified your lawful basis for your processing activities and documented this. Your business has explained your lawful basis for processing personal data in your privacy notice.

2.2: Consent
Your business has reviewed how you seek, record and manage consent. Your business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.

Step 3: Individuals’ rights

3.1: Communicating privacy information
Your business has reviewed your current privacy notices and has a plan in place to make any necessary changes in time for GDPR implementation.

3.2: Individuals’ rights
Your business has checked your procedures to ensure that you can deliver the rights of individuals under the GDPR.

3.3: Subject access
Your business has reviewed your procedures and has plans in place for how you will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Your business has reviewed your procedures and has plans in place for how you will provide any additional information to requestors as required under the GDPR.

Step 4: Breach notification

4.1: Data breaches
Your business has implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. Your business has mechanisms in place to assess and then report relevant breaches to the ICO. Your business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

Step 5: Transfer of data

5.1: International
If your business operates in more than one EU member state, you have determined your business’s lead supervisory authority and documented this.