DPA/GDPR Statement

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and comes into force on the 25th May 2018.

The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

Cookies in use on this website

We use a number of different cookies on this site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit All About Cookies for detailed guidance.

The following table describes the cookies we use and what we use them for. Currently we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete our cookies having visited the site.

We are committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections which have been built into our services and contracts over the years. It is important to remember that the GDPR is only a part of the overall data protection framework. The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act.

It will:

Any legislation introduced into Parliament is open to change so once the ICO [the UK's independent body set up to uphold information rights and the UK’s GDPR Supervisory Authority] have a clearer idea of its final form they will develop the structure and the content of the guidance they provide. The ICO aims to provide a suite of data protection guidance that is as comprehensive as possible by May 2018 (see below).

Where does the responsibility for data protection lie?

Our customers will typically act as the ‘Data Controller’ for any personal data collected and stored by the websites and databases we create and maintain. The Data Controller determines the purposes and means of processing personal data, while the ‘Data Processor’ processes data on behalf of the Data Controller. We are a Data Processor as we store personal data and can generate email alerts on behalf of the Data Controller.

Data Controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Data Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling the rights of ‘Data Subjects’ with respect to their data.

Guidance related to the role of Data Controller under GDPR is available on the ICO website.

Data Controllers should also seek independent legal advice relating to their status and obligations under the GDPR, specifically tailored to their situation.

Where to start?

As a current or future customer, now is a great time for you to begin preparing for the GDPR. Customers, as Data Controllers, should:

Our commitments to the GDPR

Among other things, Data Controllers are required to only use Data Processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.

According to the GDPR, the Data Controller and the Data Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

We have the expert knowledge, reliability and resources to fulfil our obligations as Data Processors

We only use hosting sites which have proven security/defence systems for both their physical infrastructure and hosted environment. Each provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.

We are happy to make information available about these providers and to include commitments relating to them in updated customer contracts.

Data Protection Commitments

Processing According to Instructions: Any data that a Customer and its end-users pass to us or put into the databases we create and maintain will only be processed in accordance with the Customer’s written instructions.

Personnel Confidentiality Commitments: All our employees are required to sign a confidentiality agreement and our Information Security Handbook specifically addresses responsibilities and expected behaviour with respect to the protection of information.

We are certified to ISO 27001, the international Information Security Management System Standard.

Data Deletion or Return: When we receive a written instruction from a customer to either return or delete data, we will return or delete the relevant data from all of our systems, unless overriding retention obligations apply.

Assistance to our Customers

Data Subject’s Rights: We will fulfil our obligations to assist our Customers to respond to requests from Data Subjects to exercise their rights under the GDPR.

Incident Notifications: We will promptly inform our Customers of incidents involving their data in line with the requirements of the GDPR.

Audit Rights: Under the GDPR, audit rights must be granted to Data Controllers in their contracts with Data Processors. We expect that the updated data processing contracts we will receive before the GDPR comes into force, will include audit rights for our customers and we are happy to enable our customers to exercise such rights.

Topic and URL

Bill Progress

https://services.parliament.uk/bills/2017-19/dataprotection.html.

Contact the ICO

https://ico.org.uk/global/contact-us/.

Overview

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.

Privacy notices under the EU General Data Protection Regulation

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/.

Good and bad examples of privacy notices

https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf.

Contracts

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/.

Legitimate interests

Ihttps://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

Consent

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/.

Documentation

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/.