Our approach to GDPR
Northgate Public Services (NPS) has been providing data processing services to its customers for many years, including the processing of personal data as covered by Data Protection legislation. We have robust and proven policies, processes and controls in place to ensure that our customers’ personal data are handled in line with the Data Protection Act.
As a result, we are compliant with much of the GDPR and are well placed to complete the work for NPS to be ready when GDPR becomes effective from 25th May 2018. This is in line with the Information Commissioner’s Office statement that “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR”.
NPS has a programme of activity underway to review our existing policies and processes and build on these to meet any requirements under GDPR. Among other policies, processes and controls we already have the following in place:
- An information security management system (ISMS) which is certified to the international ISO27001:2013 standard. In particular this covers:
○ Security and access controls for our data centres and hosted systems
○ Pre-employment checks for all staff to government Baseline Personnel Security Standard (BPSS)
- Annual security and compliance awareness training for all staff. This covers Data Protection and this year it includes information about GDPR. Additional in-depth awareness training is given to staff who process personal data on behalf of customers
- Other controls are in place for specific customer situations and are independently accredited by government approved accreditors
What we’re doing to meet the additional requirements for GDPR
We have appointed a Data Protection Officer whose immediate task is to manage a programme of activity, notably covering the following areas:
- Reviewing our application products in the light of the functionality required to help our customers meet their obligations under GDPR – particularly in relation to data retention and disposal, subject access requests and right of removal.
- Enhancing our records of the processing activities we undertake in relation to our role both as data controller and as data processor on behalf of clients
- Enhancing our notification processes to meet the GDPR requirement
- Updating privacy notices and, if necessary, data consent processes
Our product teams will be contacting you through the normal bulletin channels with updates on the products in use at your organisation.
If you have further comments or questions please contact us at GDPR@northgateps.com