GDPR Readiness Statement
1. Introduction
This statement sets out how Faith House Eventide Home, hereafter referred to as Faith House adheres to General Data Protection Regulation (EU) 2016/679 (GDPR)
2. Scope
The scope of Faith House GDPR readiness supports our role as a data controller, as well as our role as a data processor to our clients. The scope applies to all Faith House operations and services involving the handling of personal data concerning an identified or identifiable natural person.
Please note that in our role as data processor and while acting on behalf of you the data controller, this statement of readiness references some data controller responsibilities and assumes that as data controller you are fulfilling your obligations under GDPR as data controller.
3. Statement of Readiness
Faith House have implemented the following measures to ensure full adherence to GDPR and to protect all personal data that we process from loss, alteration, access, disclosure, accidental or unlawful destruction.
3.1 General technical and organizational information security measures
3.1.1 All Faith House policies, procedures and processes have been reviewed and updated for GDPR, including our roles as data processor and data controller and incident/breach management.
3.1.2 We will process personal data only in accordance with the data controller’s written instructions which shall be in line with their specified purpose(s), their legal basis of processing and all other principles stated in paragraph 1 (a-f), Article 5 of the GDPR. If we need to change the way that we process personal data, we will only do this via a formal change request process and after obtaining written permission from authorised users.
3.1.3 We will assist the data controller in meeting the requirements of GDPR with regard to the notification of personal data breaches and data protection impact assessments.
3.1.4 Information security is embedded throughout the group and is detailed in Faith House policies, processes and procedures.
3.1.5 We have carried out a data audit and have documented all of our processing activities which adhere to Article 30, GDPR.
3.1.6 We operate a risk management process. We regularly assess and manage the risks associated with protecting the confidentiality, integrity and availability of the personal data that we process and their related assets.
3.1.7 On written instruction from the data controller, we can securely destroy any data that is no longer required or has passed its retention period quickly and easily.
3.1.8 Our premises and our processes are regularly audited by our clients for adherence to the Data Protection Act 1998 and GDPR with no major issues found. We will contribute to reasonable audits and inspections required by the data controller. The scope and timelines of such audits and inspections will be agreed with the data controller in writing and in advance.
3.1.9 We have conducted internal audits to validate that we are GDPR ready and to identify any further areas for improvement which we are working on as part of our continuous improvement process.
3.1.10 We have plans in place to minimize the impact of any disruptive incidents or disasters, and our systems and processes are resilient enough to protect the confidentiality, integrity and availability of personal data.
3.1.11 We regularly test our business continuity and disaster recovery plans to ensure that we can quickly restore our operations in the event of a disaster or incident.
3.2 Faith House systems and hardware
3.2.1 We have developed our end user systems to ensure they are fully prepared for GDPR.
3.2.2 Faith House systems enable us to fulfil our obligations for a data subject’s right of access, rectification, or restriction of personal data. All personal data is backed up and encrypted.
3.2.3 Faith House systems enable us to fulfil our obligations for the’ right to be forgotten’ (Article 17, GDPR). Personal data can be securely and fully removed from our systems.
3.2.4 Faith House systems enable us to fulfil our obligations for the ‘right to data portability’ (Article 20, GDPR). All personal data can be exported from our systems.
3.2.5 Personal data is password protected on our servers. Faith House servers are located in Belfast, United Kingdom.
3.2.6 A disaster recovery plan is in place for our critical systems and is regularly tested.
3.2.7 All desktop PCs run the latest security patches and antivirus software. They are password protected and contain personal firewalls.
3.3 Staff training, awareness and integrity
3.3.1 GDPR and information security training and awareness is included in our company induction for all new employees.
3.3.2 All existing staff have received training on their responsibilities for GDPR.
3.3.3 All staff who are authorized to process personal data do so on a strictly ‘need-to- know’ basis as necessary to perform their role in the provision of required services.
3.3.4 All Faith House staff have signed a confidentiality/non-disclosure agreement which forms part of their contract of employment.
4. Declaration
Faith House declaration:
We confirm that the above measures are in place. These measures are monitored for their continued suitability and adequacy for adherence to GDPR.
Home Manager