The General Data Protection Regulation (or GDPR) has been in force since May 2018 and we must continue to remind ourselves of our responsibilities under both GDPR and the Data Protection Act 2018 (the related UK legislation).
The consequences of mismanaging personal data are very severe with companies liable to fines of up to 20 million Euros or 4% of global annual turnover (whichever is the greater). Several fines have already been levied but the largest to date was in January 2019 when Google was fined a massive 50 million Euros by the French National Data Protection Commission for two breaches under GDPR. There will of course also be a great deal of negative publicity associated with a breach of the rules.
Accordingly, we mustn’t become complacent and if you receive any enquiries in relation to how CEMEX manages and protects personal data then please contact Vishal Puri (vishal.puri@cemex.com), Rebecca Wright (rebeccajuliet.wright@cemex.com) or Emma Ashenden (emma.ashenden@cemex.com) in the UK Legal Department or send an email to our dedicated address: dataprotectionuk@cemex.com.
Vishal Puri is the CEMEX UK Data Protection Officer.
Some key things to remember:
- The data protection legislation only covers “personal data” i.e. that relating to identifiable living individuals (or data subjects) and doesn’t include data relating to, for example, limited companies. Personal data includes written information and images relating to data subjects.
- Ensure that if you receive a request from an individual (whether this is an employee, contractor or member of the public) enquiring about personal data about that person held by CEMEX, that this is immediately sent to dataprotectionuk@cemex.com. There are strict timescales under the legislation for complying with such requests.
- If we are contacted by customers or suppliers about CEMEX’s GDPR compliance programme and information on measures in place to protect personal data provided by them, then please forward these to dataprotectionuk@cemex.com.
- Some customers and suppliers may insist that we enter into special agreements concerning our management of their personal data and please ensure that these are sent to the Legal Department for review. We have our own preferred agreements which should be used in such cases.
- Contact the legal department when negotiating contracts which involve the processing of personal data.
- Tell us of about any new technology in the pipeline that is being developed in the UK that involves the processing of personal data as we will need to carry out a data privacy impact assessment ahead of implementation. We carried out data privacy impacts on CEMEX Go and icollect ahead of these being rolled out. A data privacy impact assessment is also required when installing new or altering existing CCTV systems so please also contact us before doing this.
- Do not store personal data on the hard drive of your CEMEX computer and instead ensure this is kept securely on the CEMEX network.
- In the event that your CEMEX mobile phone or laptop is stolen then please report this to Simon Whitfield (Process and IT Manager) and Colin Jones (Security Manager) and advise dataprotectionuk@cemex.com so that we can make an analysis in relation to the loss of any personal data contained on the device.
- Ensure that any personal data retained on CEMEX systems is accurate, relevant and not excessive. All information must be held in accordance with the CEMEX Information Retention Policy.