Background

GDPR is an acronym for the General Data Protection Regulation and is in effect from 25th May 2018. It is the EU-wide law that governs the use, sharing, transfer and processing of any EU personal data. The Information Commissioners Office is the UK Supervisory Authority (SA) for overseeing the implementation in the UK. GDPR replaces and builds on the UK Data Protection Act 1998. The UK government has already indicated that when the UK leaves the EU, it will continue to adopt the GDPR.

Overview

We respect all laws that apply to our business and this includes the GDPR. Here are some things that Broxburn Drive Ltd are doing to ensure our compliance with GDPR and that of our customers:

  • As a data processor for numerous customers we are committed to assisting our customers with GDPR compliance.
  • We will ensure that employees authorised to process personal data have committed to confidentiality.
  • We will assist our customers, insofar as possible, to respond to data subject access requests they may receive under the GDPR.
  • We maintain a log of all sub-processors we use, as well as any data processing for each project that we undertake, and we ensure that any data processing we are asked to undertake remains in scope with the original request.
  • We will assist with notifying the ICO of breaches and promptly communicate any breaches to customers and users.
  • We commit to carrying out data impact assessments and consulting with EU regulators or the ICO where a data impact assessment indicates a high risk associated with processing without an appropriate mitigating strategy.
  • We commit to, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to work with our customers and data controllers to jointly implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
  • All systems which hold personal data encrypt that data in transit, and additionally some fields are encrypted at rest for additional security.
  • We do not transfer any personal data outside the EU.
  • We employ numerous database backup technologies depending on the needs of each project, for the purpose of restoring the databases in a timely manner in the event of a physical or technical incident.
  • We will hold any sub-processors that handle personal data, including our data centre partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.