Europe’s new General Data Protection Regulation comes into effect on 25 May 2018. It embraces a risk based approach to data protection. Firms are required to adopt this risk based approach and are encouraged to implement protective measures that correspond to the level of risk of their data processing activities.
Like all relevant regulatory change, Ipes takes this change seriously and is adapting to meet it. We have appointed a Group Data Protection Officer, Andy Pryke to coordinate the work needed to be compliant when GDPR goes live.
We have completed our first phase preparation, which was to develop a gap analysis showing where we should consider upgrading our existing controls.
We have also considered the risk our processing activities could cause to an individual, should a data breach occur. In taking account that our activities and type of data held and processed by us, we have reached the conclusion that our activities could cause a low to medium risk of harm.
We have developed a project plan listing the necessary actions we need to take, and have considered what is necessary for this plan based on our low/medium level of risk. The plan includes updating our existing governance framework, delivering training and updating our IT environment.
Our work includes considering which of the client vehicles we provide services to are required to be registered as Controllers and, where required, carrying out that registration on our clients’ behalf.
We will provide further updates in due course. If you have any queries in the meantime, please speak with your usual Ipes contact.