The new General Data Protection Regulation (GDPR), significantly expands the data privacy and protection regime within the European Union (EU). Fortress Supported Living Services Ltd (Fortress Care) alongside its suppliers and contractors must comply with these rules where applicable.
Fortress Care places high importance on information security and we have engaged in a companywide programme to address the requirements of GDPR and the use of data, specifically personal data. This involves working with our suppliers and partner organisations to ensure they can meet these obligations.
The key elements of our programme include:
- GDPR Gap Analysis – Fortress Care has engaged with a GDPR Consultant in providing Data Protection Officer (DPO) services and our consultant has conducted a GDPR Gap Analysis. Fortress Care has taken an agile approach in achieving the set targets. All required policies have been updated to GDPR standard and we continue to enhance our systems and processes in response.
- Data Impact Assessments, Inventories and Mapping – Fortress Care has conducted a Data Protection Impact Assessment (DPIA) across the organisation, which includes the preparation of a data asset register and identification of associated third party processors. As outlined under GDPR Articles 35 and 36, the DPIAs identify the relevant data components for ensuring adherence to the GDPR Principles. The DPIA describes the nature, scope, context, lawful basis and purposes of the processing; assesses necessity, proportionality and compliance measures; identifies and assesses risks to individuals; and identifies any additional measures to mitigate those risks. The data flow mapping identifies the method of collection, location, storage, sharing, security, retention and deletion of information across the complete data life cycle as applicable between Fortress Care, its data subjects and third-parties.
- Policy Enhancement – Fortress Care has updated its existing Privacy policies to GDPR standard and continues to develop policies and procedure where required. This includes refreshing our Privacy Policies and Data Breach Policy, Supplier and Third-Party agreements, with a specific GDPR focus. Following the ICO recommendations, Fortress Care is also adopting a new approach to Data Subject Access Requests for recording requests and sharing requested personal data. A new Data Protection Policy and a companywide Data Retention Policy has also been created.
- Training and Culture – All staff have been training on Confidentiality, which covers key GDPR requirements. Training and Development is on-going, which covers specific roles and companywide responsibility.
- Third-party relationships – Following our data mapping exercise, we have reviewed all third-party relationships that are in scope for compliance with GDPR Article 28, including all contractual agreements. We are working with these third parties to update agreements where needed, within the appropriate relationship terms; controllers, processors, suppliers and contractors.
- Technology – Fortress Care continually reviews data and information security protection controls to maintain their efficiency and effectiveness, as outlined under Articles 25 and 32 of GDPR.
- Client Agreements (Business-to-Business) – Fortress Care continues to respond to all Client Agreements and addendums that address the GDPR requirements.