This document outlines some of the steps that we have taken from January 2017 in order to comply with the EU General Data Protection Regulation ("GDPR").
Working towards GDPR compliance
We take privacy and data protection seriously. As part of our commitment to protect the personal information of our customers, suppliers and other persons with whom we interact, we have been actively preparing for GDPR since the start of 2017.
Our preparations involved a significant amount of activity by individuals and teams within our organisation. In addition, we established a new team, the Data Governance Authority, which was tasked with ensuring our compliance. Examples of our GDPR compliance activities to date include:
- Instruction of external consultancy specialists for a ‘Gap Analysis’
- Selected staff attending external GDPR workshops and conferences
- Our Chief Information Officer (“CIO”) and ‘IS Business Change Consultant’ both successfully completing and passing GDPR Practitioner Course and the IBITGQ EU GDPR exam
- GDPR Foundation course training for specifically identified staff
- Data mapping exercise: documenting personal data flows within the organisation
- The Data Governance Authority met weekly to plan and coordinate our compliance work on GDPR
- Communication of GDPR requirements to relevant individuals and teams within our organisation
Training and awareness
We have put in place measures to ensure that individuals and teams within our organisation are appropriately trained and aware of GDPR, including the changes we are making to internal policies, processes, procedures and terms and conditions
Policy, process and procedure review
The Data Governance Authority has reviewed all appropriate policies, processes and procedures. Key examples of these are listed in ‘Personal Data Procedures and Work Instructions’ below.
Terms and conditions review
We have reviewed and updated our terms and conditions to ensure that GDPR contractual requirements are included in contracts between us and our customers, suppliers and subcontractors.
Data Protection Officer
Our organisation is not required to have a Data Protection Officer (DPO). However, we do place considerable importance on data security and privacy and have therefore ensured that we have a data protection lead (performed by the CIO) and the Data Governance Authority. Our CIO reports to our Operational Management Team on GDPR regularly.
The importance we place on data security and privacy can be seen in our certifications. For example, we are certified in relation to ISO 27001 and Cyber Essentials Plus. Both of these have ensured a well-established approach to ‘Security by Design and Default’ which help underpin our approach to the security aspects of GDPR.
Esri Inc and ArcGIS Online compliance
We are an authorised distributor of Esri technology, including the Esri ArcGIS platform.
Esri technology is proprietary to Environmental Systems Research Institute Inc. (“Esri” or “Esri Inc”), a company based in the United States of America. Typically the ArcGIS products that you purchase from us will be hosted by you.
However, the ArcGIS Online software as a service product operates from servers located in the United States of America. We have therefore been working with Esri Inc to ensure compliance with GDPR, specifically in relation to ArcGIS Online.
Esri Inc has published several documents which relate to this, and which can be found via the following links:
- Document entitled: “ArcGIS Online: A Security, Privacy & Compliance Overview”
- The following link provides information relating to the security of the ArcGIS platform generally, and specific information relating to privacy and compliance information: Trust ArcGIS
- The following link contains Esri Inc’s contractual provisions for where its Online Services or maintenance are provided and EU Personal Data is provided to Esri. See document entitled “Data Processing Addendum”.
Privacy | European Union General Data Protection Regulation