GDPR compliance

How we protect your data

We have made sure any personal information we have is protected by taking the Government’s 12-step approach to data legislation.

This protects all the personal information we hold ready for May 25, 2018 when General Data Protection Regulation (GDPR) comes in. This is how we applied the approach.

Awareness – we have a GDPR group which includes representatives from all departments within the company. We have raised awareness on the matter with all employees.

Information audit – we have documented what personal data we hold, where it came from and who we share it with.

Communicating privacy information - the privacy policies on our websites are up-to-date and all company contracts have been revised to include a privacy notice and a data protection policy.

Individuals’ rights – we have checked our procedures to ensure they cover everyone’s rights to obtain or delete the personal information we hold about them.

Subject access requests – our data protection policy and privacy policy make it clear that everyone has the right to access their data. They can also request to have it moved or deleted, can have it transferred within the boundaries of GDPR requirements, and can request to delete personal information.

Lawful basis for processing personal data – our process for managing personal data has been approved by a lawyer.

Consent – we have reviewed all the ways we seek, record and manage consent for our use of personal data. We have asked for consent again where the original process was not in line with GDPR standards.

Children – we do no hold the personal data of children. If we dos so in the future, we will ensure we have the consent of their parent or guardian.

Data breaches – we have procedures in place to detect, report and investigate a personal data breach. Everyone in the company knows what they need to do if they become aware of a data breach.

Data Protection by Design and DPIA – we understand how and when we need to implement a Data Privacy Impact Assessment (DPIA).

Data Protection Officer (DPO) – we have appointed a person in the company as a main point of contact for data protection. Based on the published guidelines from the Information Commissioner’s Office (ICO), we do not need to formally appoint a DPO and have documented this step.

International – the cross-border processing of data is outlined in our data protection policy, in line with the latest guidance from the ICO and our lawyer.

Based on Information Commissioner’s Office, Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. V2.0 20170525. Licensed under the Open Government Licence.