General Data Protection Regulation

Statement

The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will impact every organisation which holds or processes personal data. On coming into force, it will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Celaton is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001. The company will comply with applicable GDPR regulations when they take effect in 2018, including as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

The company has three main areas of focus in preparing for GDPR overseen by an internal cross-functional team:

1. Building on existing security and business continuity management systems and procedures, the company is currently well on the way to ISO 27001 approval and expect to have this completed during the first half of 2018.

2. Product programmes (including training) to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency.

3. Provision of services and solutions which help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data.

It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

Compliance

Celaton has a robust ISO-based Management System (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. Led by our Data Protection Officer, updated information security policies and procedures will build on existing management systems with the implementation of ISO 27001 along with adherence to our Information Security policy, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

Celaton’s Data Protection Officer will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

In many areas the hosted services provided by Celaton already conform. As data processor, the company is undertaking risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention will be reviewed and updated.