GDPR affects every business and organisation and became law on 25th of May 2018.
Boxall Hurst Consulting are GDPR Practitioners with ISO 17024 accredited certifications and are fully qualified to help businesses, schools and organisations achieve GDPR compliance.
Do I need a GDPR consultant?
Compliance is not just a case of ticking a few boxes, your organisation must have GDPR policies and procedures in place, and be able to respond quickly to data breaches and subject access requests. Although you may not need to change your business practices you do need to be able to demonstrate compliance, and your staff need to be aware of the new rights of individuals.
How do we help your business become GDPR compliant?
Free Initial Consultation
First we explain the new regulation, get an overview of your oranisation, and then give you an outline of what’s required to become compliant. We offer this initial consultation for free and without any hard sell.
We examine the personal data you are storing and using, and create a risk matrix based on the importance of the data to your organisation and the risk to the rights of individuals. We then suggest ways to reduce these risks, for instance by minimising the types of personal data collected and implementing a data retention policy.
Compliance Gap Analysis
We then start by helping you complete a detailed EU GDPR gap analysis questionnaire. This will identify business practices that need addressing and forms the basis of an action plan. At this stage we can usually identify if you need to appoint a Data Protection Officer.
The next step is to create or update your company policies and procedures, and give your staff awareness training on the rights of individuals that engage with your business.
We then perform a data audit and create a data flow map. These are important exercises that help to identify what personal data you store, what you use it for and how it flows through your business.
We recommend a policy of continuous improvement and suggest that you review your GDPR compliance at least once per annum.
Frequently Asked Questions
The GDPR is a European regulation that replaces the Data Protection Act 1998 in the UK. It provides greater protection for the personal data of individuals in the EU.
The GDPR applies to all organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Yes. You still control the personal data of your employees, and even the work email addresses and phone numbers of your customers and suppliers can be classed as personal data that falls under the scope of GDPR.
The UK government has indicated that after Brexit the GDPR will be replicated into UK law as the Data Protection Bill, and the UK will need to be aligned with GDPR to have access to the EU digital market.
In most cases, you should appoint a data protection lead to oversee your GDPR compliance. If you are a public authority, or if you carry out certain types of processing activities then the GDPR introduces a legal requirement for you to appoint a Data Protection Officer (DPO).
GDPR protects almost all types of personal data, including basic identity information, financial data, web data and more. Certain types of data cannot be processed unless data subject has given explicit consent; this list includes biometrics, racial or ethnic origin, political opinions, and data concerning health.
It is still possible to send unsolicited emails to existing contacts that you have a business relationship with, but the law is now much more restrictive regarding general marketing emails. Contact us for more advice to make sure that you are on the right side of the law.
If you want to send marketing to another business, you will also need to look at the Privacy and Electronic Communications Regulations 2003 (PECR).
There are 8 fundamental rights of individuals under GDPR. These are:
The right to be informed
Organisations must be completely transparent in how they are using personal data.
The right of access
Individuals will have the right to know exactly what information is held about them and how it is processed.
The right of rectification
Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
The right to erasure
Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
The right to restrict processing
Refers to an individual’s right to block or supress processing of their personal data.
The right to data portability
This allows individuals to retain and reuse their personal data for their own purpose.
The right to object
In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
Rights of automated decision making and profiling
The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
Why use Boxall Hurst Consulting?
We have ISO 17024 accredited certifications and are fully qualified to help businesses, schools and organisations.
We each have over 20 years of experience helping businesses with their IT, cybersecurity and compliance issues.
Free Initial Consultation
We offer a free initial consultation, either by phone or Skype, or in person depending on your location.
Boxall Hurst Consulting is a trading name of Micro Maintenance Limited, Registered Office: Unit 2, Courtlands Estate, Antlands Lane, Horley RH6 9TE