The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018 bringing with it wide-ranging changes and new responsibilities for organisations that process personal data. These changes will affect all organisations which hold or process personal data, including Leighton.
This document outlines the anticipated impact on Leighton and our approach to ensuring our compliance with the new legislation.
Are we a data controller or a data processor?
A ‘data controller’ is an entity that controls how and why personal data is processed and a ‘data processor’ uses, handles or works with the data under the instruction of the controller. Therefore, Leighton is a data controller in that we store and manage data about our customers, suppliers and staff. Leighton is also a data processor for the purpose of existing data privacy legislation and GDPR.
How does the GDPR affect us?
The GDPR affects Leighton in its capacity as a data controller for the information we store and manage about our customers, suppliers and staff. However, our core business is providing software development and delivery, technical support. In this respect we may need to process data under the instruction of a data controller and therefore we are a data processor.
Consequently, we must take heed and be compliant with the requirements for both data controllers and processors.
How are we becoming compliant?
Leighton has always taken its responsibility for information security and data protection seriously and hold ISO 27001:2013 Information Security certification. Consequently, we have always operated high standards of information security and data protection and we are committed to maintaining those high standards.
Leighton has two main areas of focus in preparing for GDPR:
1. Ensuring our own compliance.
2. Assisting the users of our onboarding application with their compliance.
Our compliance Prior to the GDPR, Leighton had already implemented company-wide information security and data protection controls through its ISO 27001-certified Information Security management System (ISMS).
Leighton also undertakes annual external, independent gap analysis of our existing controls against the GDPR’s requirements to understand where they need to be augmented or where additional controls need to be introduced.
Leighton then use the output from these annual external gap analysis exercises to inform and establish a GDPR compliance programme which includes the following key activities:
• A review of all data processing activities including confirmation of our lawful bases and purposes for processing data, where data resides, how data is secured and who can access or change data.
• Refreshing our staff Data Protection and Information Security Training.
• Updates to our internal security processes to meet GDPR requirements including processes associated with data subject rights, personal data breach response, privacy by design and third-party compliance.
• Updates to internal policies, procedures and privacy notices.
• A review of the contractual terms between Leighton and our customers and suppliers. Leighton has also engaged an Information Security Manager (ISM) with responsibility for advising and monitoring our compliance with all applicable data protection laws.
Leighton understands the importance of informing our staff, customers and suppliers of any incidents or breaches that may affect their data. Leighton is confident that our technical and organisational measures significantly reduce the risk of data breaches however, in the unfortunate event that a breach does occur, we are prepared to provide timely notification to all interested parties and assist with any ensuing investigation.
Will our contracts change?
GDPR contains a legal requirement obliging organisations to update existing contracts that deal with data protection to a more detailed standard. To comply with this requirement Leighton regularly reviews and amends our standard terms which sets out each party’s obligations in relation to data protection. In incorporating these updates, the document sets out in more detail, each party’s responsibilities in relation to how and for what reason either party is collecting, using or handling personal data.
Further questions and to unsubscribe
To ask any questions or unsubscribe to our communications, email us at firstname.lastname@example.org