Each member state in the EU operates under the current 1995 data protection regulation and has its own national laws. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used.
The General Data Protection Regulation (GDPR) changes how data can be used and is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen data protection. Companies who hold or process data need to be compliant with the GDPR regulation by 25 May 2018.
As an organisation we take issues of information governance and data privacy very seriously and have them at the heart of what we do. We are happy to share with you the following high level overview of some of the steps we’re taking to address the forthcoming changes in data privacy law:
We’re raising awareness of information governance issues across the group through: the delivery of bespoke training, training modules, use of our internal newsletters and the revised IG toolkit made available by NHS Digital.
We’re revisiting our data breach management policy, including arrangements for compulsory breach notification, so that staff know who to contact should an incident arise.
We will engage with sector specific bodies active in setting standards (e.g. the Information Governance Alliance) so that we are aware of any relevant industry codes of practice.
We recognise the need to meet the integrity and confidentiality principles under the GDPR. Therefore we’re reviewing the below to ensure that they are fit for purpose:
- Data security standards.
- Data breach, storage and destruction policies and management.
- Data security action plan.
We will be appointing a Group DPO with overall responsibility for compliance.
We’re reviewing and updating the below to ensure that they are fit for purpose:
- Data privacy related policies and procedures.
- Data sharing agreements and process.
- Fair processing notices (privacy policies) & website terms.
We will review and revise as appropriate our own terms and conditions and those put forward by our customers so that they reflect the requirements of the new regime.
Personally Identifiable Information Collected Regarding Users of Egton Products
By design Egton products collect only limited amounts of personally identifiable information (PID). The types of PII collected are those that Egton has determined are necessary for our products to function and to provide the services our customers have requested. Examples of the types of PID collected by our products include user name, email address, and log data (such as log on times, IP address, and files accessed).
Egton is continuing to review its data collection practices to determine whether any changes are necessary or appropriate prior to the GDPR.
Personally Identifiable Information Collected by Egton Customers
Many of our customers use Egton products to collect, process, and store PII. In these situations, Egton functions as the data “processor.”
Decisions on what data to collect, how long it is stored and how it is used reside with customers who act as the data “controller.”
As the GDPR implementation date approaches, we are reviewing our systems and processes to ensure that we will be able to fully comply with our obligations as a processor, including providing required assistance to our customers in fulfilling their obligations as controllers.
We are actively working to develop enhanced product features that we expect will help streamline our customers’ compliance efforts.
Because the specific product features used by our customers and the data they collect varies greatly (including use of custom data fields, unstructured data and unique application integrations), we encourage customers who have specific questions or requests relating to GDPR compliance to contact us at firstname.lastname@example.org