The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and came into force on the 25th May 2018.
The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
Cookies in use on this website
We use a number of different cookies on this site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit All About Cookies for detailed guidance.
The following table describes the cookies we use and what we use them for. Currently we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete our cookies having visited the site.
We are committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections which have been built into our services and contracts over the years.
It is important to remember that the GDPR is only a part of the overall data protection framework. The Government confirmed its plans to introduce a Data Protection Bill into Parliament. This should came into law in May 2018 replacing the current Act.
- sets out derogations from the GDPR, i.e. areas where Member States can decide provisions, such as around some exemptions;
- contains other national implementing measures, such as the ICO’s powers (see below);
- implements the Law Enforcement Directive, which covers processing by competent authorities such as police forces for law enforcement purposes;
- covers those areas of data processing that are not covered by either GDPR or the Directive and are outside the scope of EU law, so that there will be no gaps in the UK’s data protection regime.
The ICO aims to provide a suite of data protection guidance that is as comprehensive as possible by May 2018 (see below).
Where does the responsibility for data protection lie?
Our customers will typically act as the ‘Data Controller’ for any personal data collected and stored by the websites and databases we create and maintain. The Data Controller determines the purposes and means of processing personal data, while the ‘Data Processor’ processes data on behalf of the Data Controller. We are a Data Processor as we store personal data and can generate email alerts on behalf of the Data Controller.
Data Controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Data Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling the rights of ‘Data Subjects’ with respect to their data.
Guidance related to the role of Data Controller under GDPR is available on the ICO website.
Data Controllers should also seek independent legal advice relating to their status and obligations under the GDPR, specifically tailored to their situation.
Where to start?
As a current or future customer, you should be aware of the GDPR.
Customers, as Data Controllers, should:
- Be familiar with the provisions of the GDPR, particularly how they may differ from their current data protection obligations.
- Create an updated inventory of personal data that they handle.
- Review their current controls, policies, and processes to assess whether they meet the requirements of the GDPR and build a plan to address any gaps.
- Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to their business circumstances.
Our commitments to the GDPR
Among other things, Data Controllers are required to only use Data Processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.
According to the GDPR, the Data Controller and the Data Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
We have the expert knowledge, reliability and resources to fulfil our obligations as Data Processors
We only use hosting sites which have proven security/defence systems for both their physical infrastructure and hosted environment. Each provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.
We are happy to make information available about these providers and to include commitments relating to them in updated customer contracts.
Data Protection Commitments
Processing According to Instructions: Any data that a Customer and its end-users pass to us or put into the databases we create and maintain will only be processed in accordance with the Customer’s written instructions.
Personnel Confidentiality Commitments: All our employees are required to sign a confidentiality agreement and our Information Security Handbook specifically addresses responsibilities and expected behaviour with respect to the protection of information.
We are certified to ISO 27001, the international Information Security Management System Standard.
Data Deletion or Return: When we receive a written instruction from a customer to either return or delete data, we will return or delete the relevant data from all of our systems, unless overriding retention obligations apply.
Assistance to our Customers
Data Subject’s Rights: We will fulfil our obligations to assist our Customers to respond to requests from Data Subjects to exercise their rights under the GDPR.
Incident Notifications: We will promptly inform our Customers of incidents involving their data in line with the requirements of the GDPR.
Audit Rights: Under the GDPR, audit rights must be granted to Data Controllers in their contracts with Data Processors. We expect that the updated data processing contracts we will receive before the GDPR comes into force, will include audit rights for our customers and we are happy to enable our customers to exercise such rights.
Topic and URL
Contact the ICO
Privacy notices under the EU General Data Protection Regulation
Good and bad examples of privacy notices