MIDAS Knowledge Base
General Data Protection Regulation (GDPR) statement
The General Data Protection Regulation (GDPR) is European-wide law, replacing the Data Protection Act 1998 in the UK. GDPR places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.GDPR applies to "personal data". This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
GDPR applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
We have prepared for the GDPR in the following ways:
- Awareness
Decision makers and key people within the MIDAS team are aware that the UK Data Protection law is changing to the GDPR. - Accountability
We monitor compliance with data protection policies and regularly review the effectiveness of data handling / processing activities and security controls. - Information we hold
We have documented what personal data we hold, where that data came from and who it is shared with. - Data Protection by Design and Data Protection Impact Assessments
We have implemented appropriate technical and organisational measures to show we have considered and integrated data protection into our processing activities. - Data Protection Officers
Our business has designated responsibility for data protection compliance to a suitable individual within the organisation. - Lawful basis for processing personal data
Our business has reviewed the various types of information processing we carry out. We have identified our lawful basis for our data processing activities and documented this. Our business has explained our lawful basis for processing personal data in our privacy policies. - Consent
Our business has reviewed how we seek, record and manage consent. Our business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail. - Children
Our business does not offer services directly to children. - Communicating privacy information
Our business has reviewed our current privacy policies and has made any necessary changes in readiness for GDPR. - Individuals' rights
Our business has checked our procedures to ensure that we can deliver the rights of individuals under GDPR. - Subject access
Our business has reviewed our procedures and has plans in place for how we will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Our business has reviewed our procedures and has plans in place for how we will provide any additional information to requestors as required under the GDPR. - Data breaches
Our business has appropriate procedures in place to ensure personal data breaches are detected, reported and investigated effectively. Our business has mechanisms in place to assess and then report relevant breaches to the UK Information Commissioners Office (ICO) where the individual is likely to suffer some form of damage, for example through identity theft or confidentiality breach. Our business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. - International
We offer cloud hosted customers a choice of data centers for where their live MIDAS database will reside. This includes a European data center hosting option. Our hosting service provider is considered a "Data Processor" in relation to GDPR in accordance with Article 28 of the GDPR. The legal basis for such processing is covered by Article 6 (1)(f) of the General Data Protection Regulation (GDPR). Our hosting provider holds data in the highest regard and does not disseminate any customer uploaded data outside of its network. Data transfers to the US will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission. A copy of our hosting service provider's privacy policy ("Data Processing Agreement" for the purposes of GDPR) may be found here.We are a UK-based business, governed by the law of England and Wales, and are subject to the exclusive jurisdiction of the courts of England and Wales.
← Return to the Knowledge Base