The General Data Protection Regulation (GDPR) affects any organisation that operates in the EU or holds personal data about EU citizens. It will also give citizens additional rights over how their data is collected and used.
In the UK, the GDPR can be seen as the guiding legislation for the UK Data Protection Act 2018, within which the GDPR “derogations” allow the UK to make provisions for its application in the national context, for example in the area of law enforcement.
It imposes some new rules on companies that hold data, or seek to obtain data, about EU residents. So, for example, data controllers and processors are required to obtain “explicit consent” to collect and use personal data – as opposed to relying on silence or pre-ticked boxes – while meeting new levels of confidentiality, integrity and availability of the personal data they hold.
To ensure that SDA meets these high standards, it has been formally audited against - and has met - the requirements of the international standard ISO/IEC 27001:2013 Information Security Management System specification, certificate number 088, as well as those of UK Cyber Essentials, certificate number 3696603184139258.
SDA has also audited their administrative and technical data processing procedures to ensure that they comply with the fundamental principles of the GDPR.
Together, these demonstrate how we adhere to stringent processes for keeping our and our customers’ data secure.
- Data is processed fairly, lawfully and in a transparent manner
- Data is used for specified, explicit and legitimate purposes
- Data is used in a way that is adequate, relevant and limited
- Data is accurate and kept up-to-date
- Data is kept no longer than is necessary
- Data is processed in a manner that ensures appropriate security of the data
Who is affected by GDPR
Each business operating in the EU is affected by the GDPR. All citizens will have some enhanced rights with regard to their personal data. The UK has embraced this and will enshrine the majority of its requirements in the Data Protection Act 2018, though there are national derogations which allow its application in the national context.
How does this affect me?
Data in your SDA system are already secure and stored so as to comply with the GDPR. We have amended our agreements to ensure that they encompass the GDPR principles. Any new agreements that we make will, of course, already be GDPR compliant.
How can SDA help you?
SDA’s systems have been supporting our clients’ Data Protection obligations for many years and will continue to do so under the GDPR and the Data Protection Act 2018.
Your data is:
- stored in the UK
- administered according to the General Data Protection Regulation.
Our Information Security Manager is fully conversant with the requirements of both the GDPR and ISO27001:2013. Following SDA’s own successful journey to GDPR compliance, which is founded at least partly on good security, he has been in some demand from other small and medium-sized organisations keen to receive practical advice on their own pathway.
If you would like advice, guidance or training that goes beyond just legal pronouncements, do give us a call.