This document outlines some of the steps that we have or will be taking in order to comply with the EU General Data Protection Regulation (“GDPR”).
Working towards GDPR compliance
We take privacy and data protection seriously. As part of our commitment to protect the personal information of our customers, suppliers and other persons with whom we interact, we have been actively preparing for GDPR since late 2017.
Our preparations have involved a significant amount of activity by individuals and teams within our organisation. Our group of companies has established a Data Governance Authority, which is tasked with ensuring our compliance. Helyx is represented and participates fully as a member of this team. Examples of the group’s GDPR compliance activities to date include:
- Instruction of external consultancy specialists for a ‘Gap Analysis’
- Selected staff attending external GDPR workshops and conferences
- Completing and passing GDPR Practitioner Course and the IBITGQ EU GDPR exam
- GDPR Foundation course training for specifically identified staff
- Data mapping exercise: documenting personal data flows within the organisation
- The Data Governance Authority meets weekly to plan and coordinate our compliance work on GDPR
- Communication of GDPR requirements to relevant individuals and teams within our organisation
Training and awareness
We are putting in place measures to ensure that individuals and teams within our organisation are appropriately trained and aware of GDPR, including the changes we are making to internal policies, processes, procedures and terms and conditions.
Policy, process and procedure review
The Data Governance Authority is reviewing all appropriate policies, processes and procedures. Key examples of these are listed in ‘Personal Data Procedures and Work Instructions’ below. Helyx continues to revise its policies, processes and procedures in accordance with the recommendations of the Digital Governance Authority.
Terms and conditions review
We are reviewing and updating our terms and conditions to ensure that GDPR contractual requirements are included in contracts between us and our customers, suppliers and subcontractors.
Data Protection Officer
Our organisation is not required to have a Data Protection Officer (DPO). However, we do place considerable importance on data security and privacy and our Management Team has joint responsibility for ensuring that the recommendations of the Data Governance Authority are fully implemented.
The importance we place on data security and privacy can be seen in our certifications. Helyx is certified as Cyber Essentials Plus compliant. This ensures a well-established approach to ‘Security by Design and Default’ which underpins our approach to the security aspects of GDPR.