General Data Protection Regulations
We at CHICKS are committed to ensuring the data we hold on staff, volunteers, our Board of Trustees, referral agents, families and any of the third parties we work with is both processed legally and protected.
We know that complete compliance with the new General Data Protection Regulations (GDPR) introduced in May 2018 can only be achieved through a collaborative and transparent approach and we want to ensure that this is comprehensive and complete.
We have been working on the following:
- Identifying a Data Protection Officer
- Data mapping and creating a Data Asset Register
- Embedding data privacy into all our processes
- Assessing information security risk
- Looking at third party risk and our data partners
- Preparing to respond to individual complaints and data subject access requests (DSARs)
- Data Privacy Breach procedures
- Ongoing monitoring
GDPR Roll Out
We have started to roll out new GDPR privacy notices and will publish updated policies on this website.
We will ensure that all processing of data performed within CHICKS complies with the GDPR. Under the new regulations, there are six lawful processing conditions:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
Consent is changing to be more explicit and transparent so at the point of data collection, the individual will need to be informed exactly how their data will be used and who it will be shared with.
Governance Structure and Data Protection Officer
Data privacy is discussed regularly and reviewed.
CHICKS has appointed a named Data Protection Officer, Joanna Foster, who reports to CHICKS Chief Operating Officer, Sarah Smith.
Joanna is embedding data privacy into operations while also monitoring activity on an ongoing basis.
Awareness training is taking place for all staff to ensure a deeper level of understanding of the new regulations, allowing staff to easily identify risks and prevent them from happening.
Data Mapping and Data Asset Register
We are completing a data mapping exercise. This will enable us to know in full detail what data we have, where it is held, how we access it, the classification of the data, records for transfer and flow charts to show how data moves between systems and processes.
A lot of information that already exists is held across several systems, so we will be implementing a Data Asset Register, which will capture all data processing, aiding transparency and supporting the tight controls which are required to ensure compliance.
Embedding Data Privacy into day to day life of CHICKS – Training and Awareness
We will be launching an internal initiative called CHICKS Compliant. This ongoing program will have four key principles to ensure our team members do the right thing:
- We will ensure we know what we can do with data, and if unsure, we’ll ask
- We will be clear about how we’re going to use data
- We will ensure we protect the data we hold and process
- We will ensure compliance, both individually and as a team
Underpinning this is not only communication, but clear policies and procedures, plus mandatory training for all staff.
Information Security Risk
We are implementing robust systems to manage our CHICKS networks.
This will include technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our staff, a data-loss prevention strategy and regular testing of our security systems.
Third Party Risk and our Data Partners
Due diligence prior to working with a third party is key to ensuring data has been gathered lawfully, and to ensure any data we share will be secure. If any third-party partners need to comply with GDPR, we'll ensure they do.
Responding to individual complaints and data subject access requests (DSARs)
We already have a process for dealing with queries and this will be extended to accommodate subject access requests. This is a requirement under the Data Protection Act, therefore we are confident our processes will meet this requirement when in place, we will also continually review for improvement. The key difference under GDPR is the timescale for response to a DSAR is reduced from 40 days to 30 days, which we do not foresee as an issue.
Data Privacy Breach Management Program
We are implementing an effective data privacy incident and breach management plan, which we will continue to review and enhance as required.
Internally we will conduct audits and ad-hoc walk-throughs to make sure we are continually compliant. A regulatory monitoring report will be issued to ensure we identify (and then action) privacy compliance requirements, such as changes in the law or best practice.
The above actions were last updated in June 2018.