Class Pictures GDPR compliance statement
New data protection legislation came into force in May 2018 which aims to protect people’s privacy further. The new law applies to all public bodies, businesses and other organisations that process personal data. The legislation comprises the General Data Protection Regulation (GDPR) which came into force on 25 May 2018 and the new Data Protection Act (DPA) 2018 which will come into force around the same time. This will provide a single regulation across the European Union (EU) and place obligations on organisations that operate outside of the EU but provide goods or services to EU citizens.
1. Our GDPR principles
- we will process all personal data fairly and lawfully
- we will only process personal data for specified and lawful purposes
- we will endeavour to hold relevant and accurate personal data, and where practical, we will keep it up to date
- we will not keep personal data for longer than is necessary
- we will keep all personal data secure
2. GDPR compliance
As part of our GDPR process, we reviewed and updated all our internal processes, procedures, data systems and documentation in order to help ensure that we were ready for GDPR in May 2018.
Class Pictures complies with GDPR as a controller and processor of data and has planned and developed a programme of works that delivers what is required by the legislation. This involves working with our suppliers and partner organisations to ensure they can meet these obligations.
We have implement the relevant policies and practices to ensure we protect any data handled by Class Pictures – for its employees, customers, suppliers, partners and specifically including the following:
- employees have been made aware of the GDPR and restrictions and obligations within it as may be relevant to them, with the relevant training provided as necessary. Each staff member has been made aware of their data protection responsibilities.
- all new employees joining Class Pictures will receive awareness training as part of our induction programme
- for the most part Class Pictures do not use third party suppliers to process personal data on their behalf, however those who are used for the limited amount of out sourcing have been asked to provide details of their state of compliance with the GDPR and where appropriate agree to new contractual arrangements. Any new supplier will not be taken on unless we are satisfied that they comply with the new data protection regulations.
3. Our GDPR actions
• we have appointed a Data Protection Officer
• we undertook analysis of all our business processes where personal data is either held or collected and produced an action plan
• we are reviewing and updating our range of policies, including our Data Protection Policy and Subject Access Requests Policy
• we have introduced mechanisms to identify a potential personal data breach, how these will be investigated and reported, where necessary within 72 hours
• we have undertaken a systematic review of the personal data we store, manage, maintain, collect, process and control
• we have assessed our lawful bases for processing data to ensure all personal data is processed lawfully, fairly and transparently
• we have introduced legitimate interest assessments where we rely on legitimate interest as the lawful basis for processing any personal data
• we have provided general raising the awareness and importance of GDPR to our business and their individual responsibilities arising from this
• we are and will continue to look at ways of improving our systems and procedures to better comply with GDPR best practice
• we will continue to monitor our GDPR plans