We have been working hard over the last two years to ensure our already strong approach to data security aligns with the new General Data Protection Regulation (GDPR).  Although we are pleased that we are now fully GDPR compliant, the road doesn’t end there.  We will regularly being review our processes, procedures and security measures to ensure that we continually improve and develop.

To prepare for the GDPR, ITM established a working party with representatives from all our business units. The aim of the working party has been to ensure we fully understand the implications of GDPR for both ourselves and our customers. Given the nature of ITM’s business the security of client’s data is a priority.

The working party have travelled a long and winding road completing tasks such as data mapping, updating and issuing appropriate communications, considering how to deal with data subjects’ rights, updating data breach procedures, determining lawful bases for processing data and updating contracts.  We have had to think about both client data and our own internal data such as HR data in respect of employees.

As a data business we hold large amounts of data. Mapping the data we hold and documenting it has therefore been an important job and essential to give us a full understanding of the data that we process.  We have reviewed all the data we hold, considering exactly what data we require, how long we need to keep each data item, who we share it with and, where we are the data controller, the lawful basis for holding the data.  We have recorded all this information in our Record of Processing Activities and associated data retention schedules.

Part of this exercise has included carrying out due diligence on all our suppliers to ensure we are satisfied that they are holding our data securely. We have also completed questionnaires from our customers providing assurance that we are holding their data securely and in line with the requirements under GDPR.

GDPR requires specific clauses to be included in data processing agreements. A big part of the project has therefore been updating contracts with both our clients and suppliers to ensure these meet the new requirements under GDPR.

ITM have an established information security management framework which is audited and complemented by the achievement of ISO27001 and Cyber Essentials Plus.   Several technical and physical controls have been implemented and are maintained to ensure the ongoing confidentiality, integrity and availability of all data stored and processed and resilience of processing systems and services.

ITM are satisfied that our technical and organisational security measures meet the relevant requirements of the GDPR.

Yes.  ITM’s business is all about data and we consider it essential that we have a Data Protection Officer. Should you have any questions on ITM’s approach to data protection or specific queries on the security of your data please contact either our Data Protection Officer (by email at DPO@itm.co.uk) or your usual contact.

• Do you know a good GDPR consultant?
• Yes
• Can you give me his contact details?
• No