The GDPR is a sensible set of regulations designed to treat everyone’s details respectfully and securely (just as you would want your data handled). Specifically:
- All data is opt-in, encrypted and held in the European Union. If data is transferred to North America it is done with providers that have adequate ‘Privacy Shield’ certification.
- Adequate security measures have been adopted. (Obviously we can’t disclose what these are as the first rule of security is “don’t talk about security”).
- Cyber security specialists recently conducted an advanced penetration test and we passed with flying colours.
- If any data was compromised, we have an impact assessment that includes promptly informing the ICO.
- If an applicant makes a “right to be forgotten” request, we will give you 48-hours advanced notice before removing their data.
- If you wish for data to be removed we can take care of this for you. However, there is a common misconception that we need to delete 'old' data. But we only need to delete old data that has no future value which is often not the case. For example you may have an application two years ago and your notes may still have some present value. For that reason we are not deleting any data unless we receive a "right to be forgotten" request.
To ensure compliance we took advice from Field Fisher solicitors (they are reassuringly expensive and coincidentally train other lawyers on GDPR).
When Brexit happens, we hope the UK’s data protection laws will remain in harmony and be adequate for the EU.
At the same time, we also comply with two related pieces of legislation that come into force on the same day: e-Privacy and Network Information System (NIS).