What steps would you take to ensure compliance with the General Data Protection Regulation 2016(GDPR) and the Data Protection Act 2018(DPA)? In particular how would you:

The General Data Protection Regulations (GDPR) gives more rights to individuals and more obligations to organisations holding your personal data.

One of the rights is a right to be informed, which means we have to give you even more information than we do now about the way in which we use, share and store your personal information.

This privacy policy informs you about the increased rights you have in relation to the information we hold on you and the legal basis on which we are using it.

1. Show compliance with data processing requirements

Both parties will comply with all applicable requirements of the Data Protection Legislation. This Schedule is in addition to, and does not relieve, remove or replace, the parties obligations under the Data Protection Legislation.  The basis for processing and sharing Personal Data under this Agreement is in accordance with a lawful basis for processing Personal Data provided for by the Data Protection Legislation.

2. Put in place technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or damage to such data?

The Service Provider shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the ombudsman service, to protect against unauthorised or unlawful processing and to protect against a Data Loss Event. The protective measures should take account of the nature of the data to be protected

the harm that might result from a Data Loss Event;

the state of technological development;

and the cost of implementing any measures.

3. Help carry out data protection impact assessments before processing any personal data?

iansyst shall provide all reasonable assistance preparation of any data protection impact assessment required prior to commencing any processing

4. Put in place training programmes for staff who have access to personal data and ensure their integrity and reliability?

All staff are required to undertake GDPR training annually.  This covers the importance of ensuring that only the individual is given information about their personal information, and it is not shared with a third party.  This training is also re-iterated in our Customer Care training which is also run annually.

5. Keep records of data processing carried out under the Contract?

We are ISO 2001 accredited, which means that we are independently audited annually or all of Information and Security processes and procedures.

6. Show compliance with any statutory requirement to appoint a data protection officer if applicable to you)?

iansyst is open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

give you a description of it;

tell you why we are holding it;

tell you who it could be disclosed to; and

let you have a copy of the information in an intelligible form.

To make a request to iansyst for any personal information we may hold you need to put the request in writing addressing it to our DPO

7. Decide whether or not to use sub-processors to process personal data

Our employment contract requires all staff to declare if they have any potential conflicts of interest.  When they complete a declaration, the signed document will be scanned and stored with information held on their personnel file. All data related to this contract would be handled only by staff from iDiversity Consulting Ltd or their subsidiary Iansyst Ltd.