GDPR

GDPR Statement & Compliance; Procura Consulting

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU) and comes into force on May 25th 2018

The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.

The GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Procura Consulting places a high importance on information security. We already comply with a number of standards that focus on information data security, including Cyber Essentials.

Procura Consulting comply with the GDPR as a processor and controller of data.

We are registered with the UK Information Commissioner's Office. You can see our certificate here 

The key points, in plain English;

Our website uses cookies and, when you visit, your consent will be specifically requested

If you contact us from our website (or by phone or email, or even letter) we use your details to respond, then they are deleted. Or, if there is a legitimate reason for retaining them (you are interested in our services) they are held securely in our system where you can opt-out at any time and/or deleted at any time on your request.

As part of our normal business development we reach out to people who we think will find our services beneficial and to people who we think are interested in the Insights articles we produce. If we contact you by email, you can opt-out at any time and your data can be automatically deleted at your request. All the options are on every email.

We will be as open as we can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to us for any personal information we may hold you need to put the request in writing to the address provided below.

If we do hold information about you, you can ask us to correct any mistakes by writing to the address below.

If you apply for a job with us, we hold your details only until you get a job or, (sorry), you are rejected. If you are rejected, our HR system automatically deletes your information.

If you are a client, we are likely to be managing data on your behalf. For this we are a processor of your data and take the utmost care and attention to protect it and, once finished, we’ll return it to you. Our agreement with you covers all aspects of GDPR obligations.

If you have any concerns, on any aspect of data security or compliance, please contact: info@procuraconsulting.co.uk

 
In preparation for GDPR we have:

  1. Established a governance framework that covers board awareness, a risk register, the accountability framework and the review process.
  2. Appointed a Data Protection Officer. The Data Protection Officer for all Procura group companies is the Managing Director, Richard McIntosh.
  3. Created a data inventory that identifies processors and ensured that no data is held unlawfully.
  4. Conducted a data flow audit.
  5. Engaged with our service and technology partners to ensure they are compliant
  6. Conducted a gap analysis to assess our compliance to ensure that our business processes are robust and in accordance with the Regulation.
  7. Conducted a data protection impact assessment and a security gap analysis as part of our Cyber Essentials
  8. Created a data breach response process and provided training to our people.

 

This means:

Client Contracts: our Master Services Agreement already addresses GDPR compliance.

Website Data Collection, Consent and Privacy Policy: we have updated our framework and privacy policy to incorporate the GDPR obligations.

Data Inventory: we have undertaken a review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records. Assessments of the data reviewed information flow, data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.

Training & Awareness: all employees are made aware of the GDPR and have been trained on the data breach response process.

Supplier & Partner relationships: where relevant and related, we have used all reasonable endeavours to ensure that our third party and suppliers are complying with the GDPR.

Technology: we have used all reasonable endeavours to ensure that our third party and suppliers are complying with the GDPR

The DPO and Procura Consulting Directors will continue to oversee our GDPR compliance as a regular part of our governance.

Richard McIntosh,
Managing Director
Data Protection Officer, Procura Consulting
May 2018

Find out more about your rights on our Privacy Page here.

Procura Consulting Ltd, 99 Bishopsgate London EC2M 3XD info@procuraconsulting.co.uk