Some of the Key Activities in the GDPR Programme Include the Following Activities

How is BT handling GDPR?

We in BT, including our sister brands EE and PlusNet, have a comprehensive GDPR Readiness Programme in place across all areas of the business which process personal data. This is overseen by BT's Executive Committee, and is designed to ensure that we can meet our new accountability obligations as well as all other new or updated requirements of the GDPR applicable to us, such as the consent and subject right related requirements, privacy by design etc., when the GDPR comes into force on 25 May 2018.

Some of the key activities in the GDPR Programme include the following activities:

• We have been conducting a comprehensive landscaping exercise across BT’s data processing activities and relevant systems. This exercise provides a record of what personal data we are processing and for what purpose. This will be maintained going forward;
• We are working with our third parties and uplifting our global Supplier contract terms to take account of the specific obligations of the GDPR;
• We are revising our standard Customer terms and conditions to ensure that the data protection clause meets the requirements of the GDPR and this will be made available once finalised;
• We are also reviewing our product service schedules to ensure that they contain appropriate information with regard to the data processing activities involved in the respective products and services;
• The privacy notices on our websites are all being reviewed and will be updated as required to ensure that we meet the GDPR transparency obligations about data collection and processing; and
• Over and above our mandatory training programme, we have a communication and awareness plan in place to ensure that all BT’s personnel engaged in processing of personal data, whether it be employee or customer data, are aware and reminded of their obligations.

In addition to this Programme, BT has already put in place, and operates, many of the key innovations and requirements of the GDPR. For example, these include:

• Privacy Impact Assessments – we have already introduced an online tool enabling new products and services to be checked for privacy compliance. The use of this tool is mandatory for business units developing new products and services;
• Data Protection Officers - BT has a number of people in designated roles who champion privacy awareness and oversee compliance in jurisdictions where BT operates across the globe; managed by the Chief Privacy Officer’s office in BT’s Global HQ in London;
• Data Breach notification – We have operated a data breach notification process since this requirement was introduced in the telecommunications sector in 2011. This is also a key contractual requirement on any third party data processors we appoint to process data on our behalf;
• Data security – BT Security protects all aspects of BT’s operations from people and buildings, networks and cyber security. BT Security operates a process to check that BT’s systems, networks, applications and products are built and maintained securely. A number of BT products and services meet the ISO27001 standard; and
• Binding Corporate Rules (BCR) are recognised in the GDPR as a legal basis for international data transfers within the same group of companies. BT is the only Telco in the UK (and only the second in Europe) to have these approved.