...
The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
...
Claritum's GDPR Approach
Claritum is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and will comply with applicable GDPR regulations when they take effect in 2018, as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.
The company has two main areas of focus in preparing for GDPR overseen by an internal cross-functional team:
...
It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
Compliance
Claritum already has robust information security policies and procedures but policies such as Incident Response Plans and Backup Data Retention will be are reviewed and updated on a regular basis.
Compliance will also be supported by a review of existing contracts with Claritum ensures compliance by the data controllers, the use of sub-contractors and any data export arrangements by having relevant arrangements in place.
Contract
...
A new addendum to your current contract is being prepared and Customer Services will be contacting you to get this approved and in place.
...
The contract between Claritum and our clients covers the rights and responsibilities on both sides, as you, the ‘data controller’ and Claritum, the ‘data processor’ under the terms of the GDPR.
...
As with all compliance programmes, clear documentation of and consistent adherence to the policies is key and so Claritum is working towards ISO 9001 compliance. More information about this will be available over the coming months.
Data Protection Officer
Even though (technically) Claritum are not required to do so under the terms of the GDPR, Claritum have appointed a Data Protection Officer (‘DPO’) whose task is to inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, providing necessary security and ongoing delivery of objectives.
...