Customer: Uniphar PLC
Category: Governance / Accountability
Project: Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies
We understand that compliance with Data Protection legislation is difficult to navigate and we know that noncompliance can seriously affect the growth and success of your business.
Fort Privacy have years of hands-on, Data Protection expertise with companies just like yours.
The organisation defines a clear Data Protection strategy that is reflected in policies and procedures and in the roles and responsibilities assigned to the organisation’s processing activities.
Governance Overview
An organisation should ensure that roles and responsibilities are assigned to the organisations processing activities. Many organisations will be required to appoint a Data Protection Officer and will need Data Protection Champions/Teams in place to ensure that compliance requirements are met. It is necessary to ensure that the registration requirements with the applicable Supervisory Authorities are completed.
Fort Privacy provides the following services under the governance category:
Governance related Articles of the GPDR
Article 5, Article 24, Articles 37-39, Article 40;
The ability to demonstrate compliance and account for all data processing activities
Accountability Overview
Demonstration of compliance with Ddata Pprotection legislation is a key compliance requirement. Organisations should be able to account for all data processing activities.
Appropriate measures such as records of processing activities, activity logs, training logs, audits and risk registers should be in place to demonstrate compliance.
Accountability related Articles of the GPDR
Article 5, Article 24-25, Article 28, Article 30, Article 32, Article 35, Articles 40-43; Recitals: 69, 74, 78, 81, 82, 84, 85, ; Oversight of Remedies, liability and penalties. Articles 77-84.
The organisation provides clear statements to data subjects and communicates all required information about its’ processing activities
Transparency Overview
It should be clear and transparent to individuals that personal data concerning them is collected, used, transferred or otherwise processed and to what extent the personal data will be processed. Communications relating to the processing of personal data should be concise, transparent, easily accessible and easy to understand.
Compliance is achieved in this category through Data Protection Statements, Cookie management activity and other notices.
Transparency related Articles of the GPDR
Article 5 (a), Article 12, Article 13, Article 14, Article 24, Article 26; Recitals 39, 58, 60, 71, 78, 97, 100;
The organisation discloses personal data outside the organisation only for the purposes identified and has all required transfer mechanisms in place.
Data Transfer Management Overview
Where an organisation transfers personal data to another organisation the transfer should be consistent with the purpose of processing and an appropriate transfer mechanisms should be in place. These come in the form of Data Processing Agreements, Standard Contractual Clauses and Binding Corporate Rules.
To meet compliance requirements due diligence should be completed on suppliers to ensure that adequate safeguards are in place for the transfer and processing of the personal data.
Data Transfer Management related Articles of the GDPR
Articles 13-15, Articles 28-30, Article 32, Articles 44-50;
The organisation ensures it can identify a reliable lawful basis for each processing activity
Legal Basis Overview
An organisation must ensure that it identifies a reliable lawful basis for each of its processing activities. Data protection legislation sets out a number of legal grounds for processing personal data. Each processing activity must have a sound legal basis.
Special Category Data requires an additional legal ground to be identified for that processing activity.
Legal Basis related Articles of the GPDR
Article 5 (1) (a), Article 6, Article 7, Article 8, Article 9, Article 10
The organisation documents and implements policies and procedures for reporting and managing personal data breaches.
Data Breach Management Overview
An organisation should document robust policies and procedures for identifying, reporting and managing personal data breaches. Failure to do this can come at a huge cost to an organisation.
Data Breach Management related Articles of the GPDR
Article 33 and Article34.
The organisation manages the security of personal data and of systems that it uses to process the personal data
Security Overview
Organisations must manage the security of personal data and the systems that it uses to process the personal data. The technical and organisational measures deployed should be appropriate to the processing activities being undertaken by an organisation.
Key to compliance with this category is the implementation of robust policies and procedures that are embedded in practice. Documented Technical and Organisational measures should be in place. This is an invaluable compliance activity that can help you demonstrate to your customers that you are operating in compliance with the GPDR
Security related Articles of the GPDR
Article 32, Article 28
Policies and processes are in place to facilitate and respond to data subjects who invoke their rights
Data Subject Rights Management Overview
Data Protection legislation provides certain rights for individuals whose personal data is collected, used, transferred or otherwise processed. These include
The most commonly used right is the right of access. Robust data subject access requests policies and procedures are crucial for most organisations to meet compliance requirements.
Data Subject Rights related Articles of the GPDR
Articles 12-23;
The organisation manages personal data processing activities to ensure consistency with the principles of purpose limitation, data minimisation, accuracy and storage limitation.
Data Management Overview
Organisations should manage personal data processing activities to ensure consistency with the data protection principles of
Many organisations struggle with managing the retention of personal data. The approach to this should be systemic starting with the legal basis for processing. Compliance activities for Data Management include documenting a record retention schedule for all processing activities and ensuring this is implemented.
Data Management related Articles of the GPDR
Article 5 (1) (b) "Purpose Limitation", Article 5 (1) (c) "Data Minimisation", Article 5 (1) (d) "Accuracy", Article 5 (1) (f) "Storage Limitation"
The organisation provides and implements a framework for data protection change management
Change Management Overview
Organisations should implement a framework for managing changes to processing activities giving full consideration to data protection. This includes the implementation of Data Protection Impact Assessments (DPIA) to assess the impact a change in process could have. These assessments can serve to underpin the decision to implement the change.
DPIAs are a legal requirement under the GDPR in many cases and even where they are not strictly necessary they are an invaluable exercise that assesses the processing activity to (i) assess it is a viable processing activity and (ii) to ensure all necessary compliance requirements are in place before the processing proceeds
Change Management Articles of the GPDR
Article 35, Article 25
Category: Governance / Accountability
Project: Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies
Category: Accountability / Governance / Security Management
Project: Documenting a Record of Processing Activity
Category: Data Transfer Management / Governance
Project: Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies
Category: Legal Basis Management / Accountability / Governance
Project: Marketing Policy
Category: Change Management / Governance / Transparency / Data Transfer Management
Project: Move to Remote Examinations
Category: Accountability / Governance / Security Management
Project: Documenting a Record of Processing Activity
Category: Accountability /Data Transfer Management / Breach Management
Project: 6 month compliance programme
Category: Accountability / Data Transfer Management
Project: GDPR GAP Audit
Category: Governance / Accountability
Project: Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies
Category: Transparency / Accountability / Legal Basis Management
Project: Advising on an appropriate Data Protection Governance structure for the Uniphar Group of companies
Category: Legal Basis Management / Accountability / Governance
Project: Marketing Policy
Category: Data Management / Accountability
Project: Building Record Retention Policy and Schedule
Category: DSAR Management / Accountability
Project: Supporting customer to respond to a Data Subject Access Request
Category: Security Management / Accountability
Project: Documenting the Technical and Organisational measures
Category: Breach Management / Accountability
Project: Building Breach Management Policies and Procedures
Category: Data Transfer Management / Accountability
Project: Embedding data protection compliance into the supplier procurement process
Category: Transparency / Accountability / Legal Basis Management
Project: Data Protection Statement
Category: Transparency
Project: Cookie compliance
Category: Change Management / Governance / Transparency / Data Transfer Management
Project: Move to Remote Examinations
Category: Change Management / Transparency / Security Management
Project: Mobile app development
Category: Legal Basis Management / Accountability / Governance
Project: Marketing Policy
Category: Legal Basis Management
Project: Legal Basis Review
Category: Data Management / Legal Basis Management
Project: Purpose Limitation and ROPA
Category: DSAR Management / Accountability
Project: Supporting customer to respond to a Data Subject Access Request
Category: Data Transfer Management / Governance
Project: Data Processing Agreements
Category: Data Transfer Management / Accountability
Project: Embedding data protection compliance into the supplier procurement process
Category: Accountability /Data Transfer Management / Breach Management
Project: 6 month compliance programme
Category: Accountability / Data Transfer Management
Project: GDPR GAP Audit
Change Management / Governance / Transparency / Data Transfer Management
Project: Move to Remote Examinations
Category: Data Management / Accountability
Project: Building Record Retention Policy and Schedule
Category: Data Management / Legal Basis Management
Project: Purpose Limitation and ROPA
Category: Breach Management / Accountability
Project: Building Breach Management Policies and Procedures
Category: Breach Management
Project: Breach Management Team
Category: Accountability /Data Transfer Management / Breach Management
Project: 6 month compliance programme
Category: Security Management / Accountability
Project: Documenting the Technical and Organisational measures
Category: Change Management / Transparency / Security Management
Project: Mobile app development
Category: Change Management / Governance / Transparency / Data Transfer Management
Project: Move to Remote Examinations
Category: Change Management / Transparency / Security Management
Project: Mobile app development