Are Noodle Live preparing for GDPR? Gosh-darn-plonkin’-right we are.
The General Data Protection Regulations (GDPR) are due to come in to effect on May 25th 2018. The new regulations aim to build on existing protocols around the storage of personal data. GDPR will apply to anyone who gathers or stores data about EU citizens (no, Brexit doesn’t make us exempt).
So what constitutes ‘personal data’? It includes any information relating to a person or ‘data subject’ that could be used to directly or indirectly identify that person. This will include storing any data including name, email address or computer IP address. It also covers information such as medical conditions, dietary requirements or social media posts.
Fines for those who fail to comply will be hefty. In fact, you could be fined up to 4% of global turnover or £17 million – whichever is higher. Yikes!
Don’t worry though, avoiding those fines may well be easier than you think. Here’s what we’re doing at Noodle Towers to ensure we’re ready:
How are Noodle Live Addressing GDPR?
In January, we hired a new Chief Technical Officer, Glyn Roberts. Glyn joined us with more than 12 years experience in web and mobile projects. Basically, he’s a techie rock star (and he bakes good cakes too, which is a bonus). One of his first tasks at Noodle Live was to look at GDPR and to ensure that we are ready and fully compliant.
We also engaged a team of lawyers to help ensure we were covering all aspects of the regulations. Our team at Stephens Scown understand all the ins and outs of GDPR and were named UK Law Firm of the Year in 2016 (just saying!).
We’ve spent the last six months looking at our internal processes and preparing to lead from the front with the new regulations. As a data gathering company, it’s very important to us to be able to offer peace of mind and reassurance to all of our clients.
Four Stages of Change
At Noodle Live, we identified four stages of change. These were four areas that we needed to pay attention to in order to get fully in line with the new regulations.
We needed to change the Team Noodle culture to make safe data storage our first priority in all of our work.
In order to do this, we set up formal training sessions for all staff throughout the company. Education around data protection is now compulsory for all new starters and the whole team will be required to attend an annual update session.
Business process change
We needed to look at every aspect of our business to ensure that we are processing all data in a way that is compliant. First, we carried out a review of GDPR and drew up a roadmap of all of the requirements covered in the new regulations.
Secondly, we reviewed all existing technology and solutions already in place to see if they measured up. After that, we aligned all of our processes and created new company policies to cover any gaps between our existing processes and the new regulations. In the final stage, we carried out a review of all systems across the company to check they were defensible from a GDPR position.
To ensure on-going high standards, we created a strong incident response system to ensure that we are continually monitoring any problems and improving our systems whenever necessary.
Technology and solutions change
We have reviewed all of our platform architecture to ensure that we follow best practices in all areas of service. To start this process we carried out a security review of all existing technology and solutions in place. We ensured that all data is encrypted both at rest and in transit.
We then created automated tools to allow us to deal with data requests, data change and data removal. The new regulations state that if someone requests to see what data you hold on them, you must respond within 72 hours. If they ask for that data to be removed, you also have just 72 hours to respond. To avoid leaving this to our human colleagues (we believe in holiday days, and roof time, and Sunday fun days – basically we are not always at our desks), we have automated all of our systems to ensure that we always respond in time.
At Noodle Live, we handle a lot of data on a day-to-day basis, so we needed to ensure that all the data we gather was handled within the regulations.
Firstly, we data mapped all personal data that is gathered or stored by Noodle Live: how we receive it, what we do with it and when it needs to be removed. We also looked at data ownership and quality management.
Our lawyers helped us to set up a system for consent management that was fully compliant. This means that we are asking people if they are happy for us to store their data in a way that will allow us to show GDPR regulators that we are following the regulations. We need to be totally transparent about what we will use the data we capture for and who has access to it.
Noodle’s GDPR compliance will be an on-going project and we will need to keep reviewing our policies consistently. We love inventing new tech products, so we will need to ensure that every new system and product we introduce is up to date and fully compliant.
Need more information about becoming GDPR compliant? Find out what a panel of experts had to say about GDPR at the BNC event show.