Trusted by more
than 300 companies
Trusted by more than 300 companies
This document sets out our commitment to complying with applicable data protection legislation in force in the UK (including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018) where we process your data whilst providing our services to you.
The aim is for this document to provide you with the assurances you need that we comply with the GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European regulation which came into force in 2018. When the UK left Europe (“Brexit”) in 2021 the UK adopted the EU GDPR into UK law via the Data Protection Act 2018.
Collectively, from the UK, we now refer to UK GDPR which is the UK’s implementation of EU GDPR and the Data Protection Act 2018.
GDPR sets out the rules about how we can process personal data (data that allows us to identify an individual) whether we are processing this data ourselves or on behalf of our clients.
Quick introduction to GDPR
The data protection “principles” set out the rules by which personal data can be processed. It means that we must be open and transparent about our processing; only process data for a particular purpose; maintain the minimal amount of data and keep it accurate; only keep the data for as long as we have a lawful reason to do so; we must ensure that personal data is kept secure; and, we have to be able to demonstrate that we are compliant (the “accountability principle”)
For processing to be lawful we have to identify a “lawful basis for processing”. You’ve probably heard of consent which is where we get an individual’s permission to process their data, but there are other (and sometimes more relevant) lawful basis for processing, such as for the performance of a contract; because the law tells us we must process data in a particular way; or because we are able to demonstrate a legitimate interest, which means that we may want to process an individual’s data in a different way, but we have to make sure it doesn’t infringe an individual’s rights and freedoms.
We also have to be careful where in the world we process personal data. Generally, as long as we process the data in the UK or the EU, this is fine, but if we need to process the data outside this area, we have to make sure an “appropriate safeguard” is in place, which usually means making sure the country has adequate data protection laws (as determined by the UK government) or we put a processing contract in place (usually call Standard Contractual Clauses or “SCC”). It’s important to understand here, that “processing” includes everything we do with personal data, including storing, sharing, manipulating, editing, deleting, so when we think about where in the world an individual’s data is processed this is includes storing data in the cloud, or using a third-party to process the data.
What about marketing data?
GDPR applies to personal data that identifies an individual, whether that individual is a private person or an employee of a business.
When it comes to marketing to individuals, as well as considering the GDPR obligations over the processing of personal data, we also have to consider the Privacy and Electronic Communications Regulations (“PECR”) which set out the rules for electronic marketing such as by email, SMS/text or online messaging.
What is and isn’t allowed according to data protection and privacy regulations differs according to the source of the information, our relationship with the individual whose personal data it is, and whether the data relates to an individual or a business:
• Where the data relates to a private individual (e.g. a member of the public) we can only market to the individual if they have opted-in to receive marketing. Opting into marketing requires us to follow the GDPR’s consent rules as well as providing an option to opt-out of future marketing at any time
• Where the data relates to a private individual who is a customer (or is about to be), provided the individual has been given a chance to opt-out at the point the data was collected initially, the marketing relates to the services we provide and we provide an opt-out in every subsequent marketing communication, we can market without seeking consent. This is the so-called “soft opt-in” and doesn’t require GDPR compliant consent
• Data relating to sole traders (and certain kinds of partnerships (not LLP)) should not be treated as business data but as individual’s data. So, the rules applicable to private individuals (above) applies
•Data relating to an individual (e.g. an employee) within a business can be used for marketing purposes provided they can opt-out of future communications and the marketing is relevant to their role (and they’re not a sole trader). Consent is not required to market business to business
•Generic business data (that doesn’t identify an individual employee within the business) can be used for marketing as it’s not classed as personal data. It is best practice though, to also provide opt-outs from future communications.
How are GDPR and PECR enforced?
In the UK the Information Commissioner’s Office (“ICO”) is responsible for ensuring the GDPR and PECR rules are upheld by any business or organisation that is processing personal data.
You can find more about the role of the ICO on their website, as long as lots of other resources relating to UK GDPR and PECR: https://ico.org.uk/
As a UK company, we are committed to ensuring our business, services and processes are GDPR compliant, that we continue to maintain our compliance and ensure it meets the full requirements of the law.
We are also committed to safeguarding your data when we process it on your behalf and apply the same standards of compliance to your data, as we do our own.
Our services are compliant because:
• We have an external data protection specialist who advises us and acts as our Data Protection Officer (DPO)
• All our staff are trained and aware of their ongoing compliance obligations
• We have internal policies which set out the data protection responsibilities across the whole of our business
• We check all our systems and processes to ensure they meet the requirements of GDPR, particularly in terms of ensuring appropriate technical and organisational measures are in place to ensure the security of your data at all times. This includes making sure only specific employees have access to your data
• We ensure we maintain our compliance at all times
• We are open and transparent about how and where in the world we process your data and the appropriate protections we have in place to ensure, as a Data Processor, we are processing your data, for you, in line with the data protection requirements
• We only process data if it is lawful to do so, and will let you know if we think your instructions are in breach of the GDPR
• We have processes in place to assist you if your own Data Subjects exercise their rights
• We have implemented the appropriate contractual obligations required by Article 28 of the GDPR (in our terms of service and accompanying documentation)
• We have carried out due diligence against any third-party processors (sub-processors) we may use in delivering our service, including implementing the standard contract clauses required when processing data outside the UK.