General Data Protection Regulation (GDPR)
Civica Group Overview
The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
Civica is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001 and PCI-DSS. The company will comply with applicable GDPR regulations when they take effect in 2018, including as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services. Our team of experienced business analysts, consultants and digital specialists will also help to support customers in meeting their obligations through the provision of expert services and value-adding solutions.
The company has three main areas of focus in preparing for GDPR overseen by an internal cross-functional team:
- Building on existing security and business continuity management systems and certifications, including ISO 9001, 27001 and 22301, PCI-DSS and IGSoC, to ensure our own compliance
- Product programmes to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency
- Provision of services and solutions which help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data
It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
Civica has a robust ISO-based Management System (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. Led by our Head of Operational Security & Resilience, updated information security policies and procedures will build on existing management systems (including ISO 27001 and ISO 22301) and the foundation of our Information Control and Classification policy, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.
Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.
Civica’s Data Protection Officer will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.
In many areas the hosted services provided by Civica already conform. As data processor, the company is undertaking risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention will be reviewed and updated.
2. Civica software applications
Civica’s broad range of software applications are used to provide efficient and high quality services. As such the company is committed to providing technology solutions to support customers’ GDPR obligations, whether through standard features or added value solutions or toolkits.
All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.
Customers should contact their account manager to understand what features are available to enable this, from data cleansing and subject access reports to specific data retrieval and disposal tools which create efficiencies by allowing organisations to locate, anonymise and remove data with minimal administrative effort and to enable a quick and efficient response to information requests.
3. Helping customers adapt to change
The volume of data handled by organisations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures will require organisations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services.
Civica’s team of experienced analysts and consultants can support customers in their journey to compliance and beyond, supported by our dedicated digital division. Civica Digital brings deep expertise in information and data management as part of a complete capability to deliver a new generation of digital services from concept to implementation. Services offered include:
- Awareness workshops to help organisations to fully understand GDPR and what must be done to demonstrate compliance
- Readiness assessments, to assess preparedness for the arrival of GPDR, identification of gaps and risks and formulation of roadmaps to achieve compliance
- Software tools, to help measure and track GDPR compliance across an organisation
- Technology platforms to drive improved customer interaction and consent management while ensuring better compliance as part of broader digital transformation.