The UK General Data Protection Regulation (UK GDPR) affects any organisation operating in the UK that holds personal data about UK citizens. It also gives citizens additional rights over how their data is collected and used. The UK GDPR is closely mapped to the EU GDPR such that UK and EU countries are sufficiently aligned – in terms of their respective privacy and data protection regulatory frameworks – to be deemed mutually ‘adequate’ and to continue to transact and process data across borderscontinue to transact and process data across borders, post-Brexit. Key exceptions are law enforcement processing and intelligence services processing.
GDPR (UK and EU) imposes some new rules on companies that hold data, or seek to obtain data, about their citizens. So, for example, data controllers and processors are required to obtain “explicit consent” to collect and use personal data – as opposed to relying on silence or pre-ticked boxes – while meeting new levels of confidentiality, integrity and availability of the personal data they hold.
To ensure that we meet these high standards, we have been formally audited against – and have met – the requirements of the international standard ISO/IEC 27001:2013 Information Security Management System specification, certificate number 088, as well as those of UK Cyber Essentials, certificate reference IASME-CE-019791.
We have also audited our administrative and technical data processing procedures to ensure that they comply with the fundamental principles of the GDPR.
Together, these demonstrate how we adhere to stringent processes for keeping our and our customers’ data secure.
UK GDPR Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Who is affected by GDPR
All businesses operating in the UK and EU are affected by the GDPR if they process citizens’ data. All citizens have some enhanced rights with regard to how their personal data is processed. The UK has embraced this and has enshrined the majority of its requirements in the Data Protection Act 2018, though there are exceptions that apply to law enforcement and intelligence data which allow its application in the national context.
How does this affect me?
Data in our system are already secure and stored so as to comply with the UK GDPR. We have amended our agreements to ensure that they encompass the UK GDPR principles. Any new agreements that we make will, of course, already be UK GDPR compliant.
How can we help you?
Our systems have been supporting our clients’ Data Protection obligations for many years and will continue to do so under the UK GDPR and the Data Protection Act 2018.
Your data is:
- stored in the UK
- encrypted in transit and at rest
- administered according to the General Data Protection Regulation.
- Held in systems that are audited and certified against the requirements of ISO 27001:2013 Information Security standard and HMG Cyber Essentials principles.
Our Information Security Manager is fully conversant with the requirements of both the GDPR and ISO27001:2013. Following GIDE’s own successful journey to GDPR compliance, which is substantially founded on good security, he has been in some demand from other small and medium-sized organisations keen to receive practical advice on their own pathway. If you would like advice, guidance or training that goes beyond just legal pronouncements, do give us a call.