General Data Protection Regulation (GDPR) statementThe General Data Protection Regulation (GDPR) is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data, and comes into effect on 25 May 2018.
The GDPR applies to "personal data", which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
It is important to note that GDPR doesn't come into effect until May 2018 - it is therefore still a very "fluid" draft regulation.
We will be fully compliant with the GDRP once it comes into effect, in the meantime, we have anticipated and prepared for the GDPR in the following ways:
Decision makers and key people within the MIDAS team are aware that the UK Data Protection law is changing to the GDPR.
We monitor compliance with data protection policies and regularly review the effectiveness of data handling / processing activities and security controls.
- Information we hold
We have documented what personal data we hold, where that data came from and who it is shared with.
- Data Protection by Design and Data Protection Impact Assessments
We have implemented appropriate technical and organisational measures to show we have considered and integrated data protection into our processing activities.
- Data Protection Officers
Our business has designated responsibility for data protection compliance to a suitable individual within the organisation.
- Lawful basis for processing personal data
Our business has reviewed the various types of information processing we carry out. We have identified our lawful basis for our data processing activities and documented this. Our business has explained our lawful basis for processing personal data in our privacy policies.
Our business has reviewed how we seek, record and manage consent. Our business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.
Our business does not offer services directly to children.
- Communicating privacy information
Our business has reviewed our current privacy policies and will make any necessary changes in readiness for GDPR implementation.
- Individuals' rights
Our business has checked our procedures to ensure that we can deliver the rights of individuals under the currently proposed GDPR.
- Subject access
Our business has reviewed our procedures and has plans in place for how we will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Our business has reviewed our procedures and has plans in place for how we will provide any additional information to requestors as required under the GDPR.
- Data breaches
Our business has appropriate procedures in place to ensure personal data breaches are detected, reported and investigated effectively. Our business has mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage eg through identity theft or confidentiality breach. Our business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
We are a UK-based business, governed by the law of England and Wales, and are subject to the exclusive jurisdiction of the courts of England and Wales.
← Return to Knowledgebase