Verve is committed to safeguarding personal and sensitive data and works in line with all applicable laws concerning the protection of personal information, including the Data Protection Act 1998 and has prepared for the implementation of GDPR (General Data Protection Regulation (2016/679 EU)).
As an accredited ISO 27001 business, our commitment to data security has always been a priority. We have a collection of processes and policies that are fully auditable and we regularly review and make improvements, too.
In line with GDPR requirements we have undertaken a complete review of our structure, processes and policies and our ISO 27001 requirements enabled us to have a detailed structure to follow.
As part of this we have clearly identified the following areas of importance:
- Data Security
- Data Impact Assessments
- Data Subjects Rights
- Transferring data from the EU.
Our action plan, which has been in process and will enable us to meet the May 25th 2018 deadline, includes (but is not limited to):
- Legal support from local EU Counsel to help guide us
- Understanding the provisions of the new regulations, understanding how they may differ from the current obligations and detailing considerations of our clients, members and staff
- Auditing our data capture points both inside and outside of Verve
- Updating our precise inventory of personal information that we control, plus reviewing our current controls and processes to ensure that they are adequate. This includes a risk assessment with associated plans to address any identified areas of risk
- Keeping informed of updated regulatory guidance as it becomes available, plus consulting external experts for guidance where applicable
- Conducting regular reviews of the Information Commissioner's website, which is the UK representative within the EU working group: Article 29 and attending talks and training
- Establishing an external relationship to support our Data Protection Officer requirements.
We instructed a working group of Senior Management, meeting bi-weekly, to manage the process of implementation. This group includes: MD of Finance & Operations, CTO, SVP of Group Operations, IT Manager, and Onboarding Director. To help with the implementation process and as part of our ISO 27001 commitments, our monthly internal audit process is being re-designed to stress test GDPR regulations.
At Verve, we strive to deliver an incredible customer experience. We will continue to make additional required operational changes resulting from the new legislation, and will keep our clients, partners and regulatory authorities informed throughout this process. Our internal cross-functional team will continue to monitor GDPR as it moves to become more clearly defined over the next few months, and will continue to inform our strategy for GDPR.