GDPR Compliance

1 Introduction

The European Union has taken a huge step towards protecting the fundamental right to privacy for every EU resident with the new General Data Protection Regulation (GDPR) which became effective from May 25, 2018. In the UK, this is implemented as a new version of the Data Protection Act which will still apply and keep in step with GDPR even after ‘Brexit’.

It means that EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.

Garness Jones (Commercial) Limited. is aware of its leadership role regarding compliance and in providing the right tools and processes to support its customers in meeting their GDPR obligations.

2 Garness Jones (Commercial) Limited’s Commitment

At Garness Jones (Commercial) Limited. we have always honoured our clients right to data privacy and protection. We only collect and hold the information we need; your details are only used for marketing purposes with your consent and we do not provide this information to anyone else for any purpose. We also recognise that our suppliers are a key part of our ability to serve our clients and we put the same effort into protecting them as we do our clients and staff.

We have no necessity to collect and process any individual’s personal information beyond what is required for the provision and management of our services.

Over the years, we have demonstrated our commitment to data privacy and protection by ensuring the technology and tools supporting our services have been implemented to the best data privacy and security standards, but we recognise that the GDPR will help us move towards the highest standards of operations in protecting customer data.

3 How is Garness Jones (Commercial) Limited preparing for GDPR?

As a data controller, Garness Jones (Commercial) Limited. understands that it is responsible for ensuring all its staff, suppliers and service providers understand and actively embrace the ideas and intentions, principles and rights of GDPR. And not just in a way which ticks boxes, but which changes the way we manage individual’s information and then drives the business forwards.

From our customers perspective, we understand our obligation to help them prepare for their own GDPR compliance and to ensure our service meets their contractual needs.

This is not something which can be completed overnight, nor does it end when we can say ‘we are compliant’. Therefore, we have embarked on an ongoing journey to become compliant and maintain our compliance as the laws and risks change and evolve.

We have thoroughly analysed GDPR requirements and have put in place a dedicated internal team to drive our organisation to meet them. Some of our ongoing initiatives are:

  • Identifying personal data – We have reviewed each of our business systems and processes to identify the different types of personal data we collect, use, store and dispose of.This has helped us to determine the roadmap we must follow and has also given us the insight to be able to further help our customers with doing the same.
  • Providing visibility and transparency – One of the most important aspects of GDPR is about communicating how the collected data is used. As both a data controller and data processor, Garness Jones (Commercial) Limited’s key role is to provide clarity over what we collect, how we use it and why and we are pleased to say this is available to everyone in our privacy policy.
  • Enhancing data integrity and security – Data privacy and data security are both intimately related to and dependent upon each other. Analysis of our existing systems and processes indicated several areas where our already individual-focused security measures and processes could be further improved, and we are working towards this, both internally and with our suppliers, and are reinforcing this with independent testing.
  • Breach handling process - We know that no-one wants to have to own up to a mistake, but we take our obligations under GDPR seriously especially where breaches are concerned. We have now created a Breach Handling process which enables us to manage when things go wrong in the correct manner.
  • Subject Access Requests – Following our earlier work, we have now created a set of processes which enable us to handle any individual’s choice to exercise their rights under GDPR (known as ‘Subject Access Requests’). The details of how to start the process are now clearly stated on our privacy policy.
  • Data Retention – We now have a clear definition of what the information we have, what we use it for and how long we need it for and a process for destroying it when it is either no longer correct or required.
  • Contract Reviews – We have been reviewing our contracts with all our suppliers and sub-contractors to ensure they are suitably compliant with GDPR and working with them to ensure their compliance.

4 What does this mean for you?

We understand that meeting the GDPR requirements will take a lot of time and effort, both for us as a responsible supplier and for you as our member or customer. But we want this to be as painless as possible.

In all cases, you can expect us to provide you with

  • updated contractual agreements detailing what you can expect from us and equally what we expect from you
  • details of what external organisations we use to process your information and how they themselves meet the GDPR obligations.
  • regular communication from us regarding our work on our GDPR compliance journey