3. Disability Solutions West Midlands (DSWM) is a Stoke on Trent based charity that has been
support people with disabilities and long term health conditions including cancer for 38
years. We are A Disabled Peoples User Led Organisation (DPULO) and a company limited
by guarantee.
Our specialist areas include:
Insight and Knowledge regarding Disability taking a pan-disability approach
Tribunal Representation & Support
Welfare Benefits Advice & Support
Cancer Related Benefits & Support
Independent Aids & Adaptations, Assistive Technology
Equality Act, LGBTQ & Disability Awareness Training
From 1st April 2018 – 31st March 2019 we found solutions and supported over 8,300 people
We work today to improve peoples tomorrows
4. So, when it came to the start of our GDPR journey a lot had to be considered...
we work with a high level of sensitive and highly confidential information daily.
From April 1st 2018 – 31th March 2019 we processed:
Over 8,300 Clients
24,407 Contacts
561 Appeals and Tribunals
All involving Special Category Data
The highly confidential nature of all the data we obtain, process, handle and store required us to
ensure we considered every possible area in relation to GDPR - ensuring we didn’t overlook anything.
5. 1500+ hours reading
3-6 months cumulative total of meticulous research
Ongoing research until the GDPR deadline - and beyond!
Attended multiple information events across the country
I lived on the ICO website
I read many Green and White Papers
I spoke with the National Association of Solicitors, National Association of Welfare Rights
Advisers, Advice Quality Standard…
3 years looking into every possible area of GDPR
One thing I found was constant - no one was a 100% sure regarding GDPR.
6. The kind of data we process on a daily basis
consists of:
Medical Records
NHS paperwork
X-rays and Scans
Mental Health reports
Her Majesty's Courts & Tribunal Service
Paperwork
DWP information
Bank Details
Care Plans
Care Assessments
Disability and/or Health condition or Cancer
diagnosis
Financial Reports in cases of financial abuse
7. First was our audit and it was a big piece of work.
To begin our journey towards GDPR compliance this
was our first step:
General Full Audit
Data Audit
Data Risk and Prevention Audit
IT Assets Audit
Information Audit
Software Audit
Every possible area that was relevant to or part of any
data processing or storage was audited.
9. Resources and Cost
We Have 45 volunteers and new ones applying every week
Some staff didn’t think GDPR applied to us as a small charity
Finalising the audit and ensuring everything was in the documentation
Communicating with all workforce to ensure transparency
Workforce accepting the potential alterations in their roles re data processing and security
Workforce accepting additional procedures
Ensuring all systems interlinked and all areas were explored
Brexit (as people were convinced that come Brexit GDPR would no longer exist)
These are just a few difficulties. No GDPR journey will ever be difficulty free,
however the difficulties are what helps to round off the GDPR journey in the end
10. For GDPR compliance we put in place additional security protocols
and reporting systems and mechanisms.
These included:
Increased password complexity that changes every quarter
2 Factor Authentication for every user
Automatic Log Out on computers after 8 minutes of inactivity
No access to work systems out of the office
Restricted access to areas unnecessary to their role
15 New Policies and 3 Influencing Documents
Clear Desk Policy!
The workforce viewed the additional security requirements as extra
layers that negatively impacted upon their streamlined work flow.
After months of getting used to the new systems the workforce now
find some of my “quirky” traits around GDPR funny.
WHAT THE
WORKFORCE
FOUND
DIFFICULT AT
FIRST.
11. The Human element does add a additional layer that needs to be considered.
This became a big part of our journey; we may only have 17 staff but we have 45 volunteers also.
Ensuring they were all appropriately trained and aware of GDPR requirements and their
responsibilities as data processers was challenging at points, people don’t like:
Change
Unfamiliar Systems
Extra things to remember and pressure not to forget…
…and at the end of the day we can all make errors inadvertently.
This is certainly a difficult part of the journey. I lost count of how many individual and group
discussions I had, as well as official meetings around GDPR with the workforce.
You can have all the systems in place but at the end of the day the workforce a main component to
success and compliance.
12. Once the ground work regarding GDPR was complete, the final hurdle was to train the
workforce.
The training package had to be informative, targeted and highlight all the important areas
and changes, while also being transparent, easily understood and workforce friendly.
Before they could complete the training and we stamped them as GDPR Ready, each
workforce member was required to participate in:
2 training sessions - 5 hours each session
Show they understood the changes to the systems and the new policies
Put the changes into practice consistently and reliably.
13. We had the a robust system in place prior to GDPR, but what GDPR compliance did was ensure we
revamped our processes, systems and procedures and added a few more layers where required, the
additional layers look like:
15 New Policies
3 Influential Documents
Additional Security Protocols
A Data Risk Register
Continued Data Audit where additional systems, procedures, processes are added when needed
Workforce Data Protection training every quarter
System security and processes tests monthly, with ongoing monitoring.
14. WHAT OUR
GDPR
SYSTEMS
@ DSWM
HAVE
CAUGHT
So far we have caught multiple potential data breaches
by other organisations across public, private, community
and charitable sectors.
We have processed 12 data subject access requests –
4 right to be forgotten
8 data access requests
Other organisations I have supported with their GDPR
compliance journey (systems and training):
North Staffordshire Medical Institute
Green Door Charity
Multiple and Complex Needs and Abilities Charity
Bentley’s Caterers
15. The GDPR journey never ends,
There will always be a new system to consider, a new workforce member to train, a new
project to audit etc.
Yes once we had the necessary areas in place the journey wasn’t as difficult, but the
journey from this point moving forward will still require tweaks and additions for as long as
GDPR regulations exist………….so forever.
The hardest part of DSWM’s journey is done, but the journey is far from over.
With changing technology's, systems, upgrades, workforce etc. it will always require us to
keep a driver in the driving seat.
You will never hear me say “We are a 100% GDPR compliant”, to me we are as compliant
as can be at any one time.
16. Thank you for your time
David James Lovatt
Director of Research and Development
Tel: 01782 667336
Email: dlovatt@disability-solutions.net