GDPR Compliance Statement
As a company that takes data privacy and security very seriously, we recognise that our practices are important to you. We are dedicated to safeguarding the personal information under our remit and to the continuous improvement of our data privacy programme ‘PrivaCEC’ so that it remains effective and demonstrates accountability under GDPR obligations.
As part of our commitment to meeting and upholding the principles of the GDPR, we examine many areas within our company to remain GDPR compliant. Below we provide general information on how we remain compliant and consistent in the protection of the personal data you entrust to us.
Our on-going assessments include:
Information Audit – carrying out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed, how it is protected and if and to whom it is disclosed.
Policies & Procedures – revising current and/or implementing new data privacy and protection policies and procedures to continue to meet the requirements and standards of the GDPR and any relevant data protection laws.
Training and awareness - we train employees on data protection obligations, our policies and procedures and best security practices, including how to identify social engineering, phishing scams, and hackers.
Data Protection – our main policy and procedure document for data protection has been updated. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with a dedicated focus on conducting privacy impact assessments for all personal data processing.
Children and young people's privacy notice - information for young people detailing how and why we might collect and use data and/or imagery if they choose to consent.
Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically.
Data Breaches – our data incident management procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
Third-Party due diligence–carrying out due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable. We carry out audits of our key digital services.
Subject Access Request (SAR) – our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
Legal Basis for Processing – we continue to review processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Act 2018 are met.
Privacy Notice/Policy – we have reviewed and updated our Privacy Notice(s), ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
Keeping you Informed/Direct Marketing–we do so based on our legitimate interest to promote our programmes and activities and to keep you abreast of industry trends and developments through our newsletters and campaigns. We provide a clear method for unsubscribing out of any subsequent newsletter and materials.
Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s) and we keep our DPIAS under review.
Processor Agreements – where we use any third-party to process personal information on our behalf (e. Payroll, Recruitment, Software developers, IT services, Hosting, etc), we have included compliant processor terms and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
Special Category Data – where we obtain and process any special category information, we do so in compliance with the Article 9 requirements and have encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Act 2018 Schedule 1 condition. We maintain an appropriate policy document.
Security – we perform regular penetration testing. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues. We strive to stay on top of the latest security developments both internally and by working with external security auditors and companies.
Dated: October 2022