The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU) and came into force on May 25th 2018.
The GDPR imposes new obligations on organisations that control or process relevant personal data and introduces new rights and protections for EU data subjects.
The GDPR applies to data processing carried out by organisations operating within the EU.
ADR International comply with the GDPR as a processor and controller of data.
The key points, in plain English:
If you contact us from our website (or by phone or email, or even letter) we use your details to respond, then they are deleted. Or, if there is a legitimate reason for retaining them (you are interested in our services) they are held securely in our system where you can opt-out at any time and/or deleted at any time on your request.
As part of our normal business development we reach out to people who we think will find our services beneficial and to people who we think are interested in the insights articles we produce. If we contact you by email, you can opt-out at any time and your data can be automatically deleted at your request. All the options are on every email.
We will be as open as we can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to us for any personal information we may hold you need to email the Data Protection Officer at the address provided below.
If we do hold information about you, you can ask us to correct any mistakes in writing by emailing the Data Protection Officer at the address provided below.
If you apply for a job with us, we hold your details only until you get a job. If you are rejected, your personal information will be destroyed.
LAWFUL BASIS FOR PROTECTING PERSONAL DATA: If you are a client, we are likely to be managing data on your behalf. ADR International provides a cloud service for skills assessment and online training based on users willingly providing data to further their assessment and training. It therefore has a lawful basis on which to process data.
CONSENT: ADR International stores data uploaded by the client and the individual user. As the user provides their own data it is taken that consent is implicit in the process.
CHILDREN: ADR International does not store data for or about children.
DATA BREACHES: ADR International stores data on professionally managed secure servers designed with industry standard security and incorporating SSL. The ISP will contact ADR International in the event of a data breach, and ADR International is bound to inform the ICO if personal data is involved. We regularly monitor server access data and consider the impact of data loss on privacy.
PRIVACY: ADR International will never share your contact information, skills assessment inputs or outputs and online training inputs or outputs with anyone else outside of the organization you work for without your written consent.
CONCERNS: Our agreement with you covers all aspects of GDPR obligations. If you have any concerns, on any aspect of data security or compliance, please contact the Data Protection Officer.
GDPR COMPLIANCE: To ensure GDPR compliance ADR International has:
- Established a governance framework that covers board awareness, a risk register, the accountability framework and the review process.
- Appointed a Data Protection Officer. The Data Protection Officer for ADR International is the Chief Executive, Robin Jackson.
- Created a data inventory that identifies processors and ensured that no data is held unlawfully.
- Conducted a data flow audit.
- Engaged with our service and technology partners to ensure they are compliant.
- Conducted a gap analysis to assess our compliance to ensure that our business processes are robust and in accordance with the Regulation.
- Conducted a data protection impact assessment and a security gap analysis.
- Created a data breach response process and provided training to our people.
- We have updated our Service Agreements to incorporate the GDPR obligations.
- We have undertaken a review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records. Assessments of the data reviewed information flow, data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.
- All employees are made aware of the GDPR and have been trained on the data breach response process.
- Where relevant and related, we have used all reasonable endeavours to ensure that our third party and suppliers are complying with the GDPR.
- We have used all reasonable endeavours to ensure that our third party technology suppliers are complying with the GDPR
The DPO and ADR International Directors will continue to oversee our GDPR compliance as a regular part of our governance.
CEO & Data Protection Officer, ADR International, May 2018