In preparation for the General Data Protection Regulations (GDPR) coming into place on 25th May 2018, Licence Bureau isformulating and reviewing all of our processes and procedures in order to ensure full compliance.
There are a number of exclusions still being confirmed that will apply to the United Kingdom, therefore, at this point we are not fully-aware of what is actually required for companies based in the UK and those based in Europe.
To help our customers understand the steps we are taking to comply with the GDPR, we have compiled the below points, based on the 12 steps the ICO suggest organisations take in order to prepare.
Awareness
Decision makers within Licence Bureau are fully aware of the upcoming changes to law and are working closely with the Compliance Manager to identify any areas that could cause compliance issues under the GDPR.
Over the coming months the importance of the upcoming GDPR is being communicated to all members of staff within the business, alongside any necessary changes being put in place.
Our Compliance Manager is undergoing further training to ensure that we are completely up to speed with the upcoming changes. All other staff within Licence Bureau are aware of the upcoming GDPR and possible changes. Staff will be continually updated and trained as we progress.
Information we hold
A requirement of the GDPR is that organisations’ document the personal data we hold, where it came from and who we share it with. This will be viewed from 2 points, as a data processor and an employer. We will undergo a full information audit to ensure all aspects are documented.
Our system already provides transactional logs for the data we obtain and store. We are able to track where it has come from and who has submitted it.
The data we hold is obtained from the DVLA therefore accountability lies with the DVLA should any data be incorrect.
Privacy Notices
Our privacy notices’ have recently been revised, however with the more strict legislation coming into play, these will be updated accordingly throughout the course of preparation.
Individuals’ Rights
Licence Bureau are currently able to provide a driver with their data that we hold electronically, in a secure manner, however we are working towards a system that will allow a driver to view this themselves, at any desired time. We will also be reviewing our process in line with ‘Right to Erasure/Deletion’, which will include identifying what data we are contractually bound to retain, and what we can destroy.
Subject Access Requests
In order to comply with the more stringent legislation, we are currently working on providing each data subject with a personal login to their data. This will provide real-time access and allow them to ensure their data is correct and up to date.
Processing Personal Data (lawful basis)
Our Managing Director and Compliance Manager will be working together in the coming months to ensure that all client data we hold for them is reviewed and we can justify the reason for holding each piece of data. This will then be outlined in our Privacy Notice.
Consent
It is not thought that our approach to gaining consent will need to change however we await confirmation from DVLA.
Children
Due to the nature of our business, any driver with either a provisional or full driving licence will always be over the age of 17. This means that they are able to give their own consent and parental or guardian consent is not needed in order to process the data.
Data Breaches
Licence Bureau already have a complaints and data breach procedure in place, however as part of our preparation for GDPR these will be reviewed, improved and updated.
Protection Impact Assessments
Our Managing Director and Compliance Manager will be working together in the coming months to ensure that all client data we hold will undergo a full risk assessment. This will allow us to identify any impacts to the client that could occur.
Data Protection Officer
Our Compliance Manager is currently undergoing training and preparation to become the key contact within our business that steers us in the right direction towards the GDPR and ensures full, on-going compliance, with the support of the Managing Directors.
International
Licence Bureau do not currently operate in more than one EU member state, and we do not transfer any data outside of the UK.
General Data Protection Regulations (GDPR) PDF
