In May 2018, the Data Protection Act (DPA) was replaced by the General Data Protection Regulation (GDPR).
 
If you are one of our clients, as a result of GDPR Circle will be one of your Data Processors.
 

What is a Data Processor?

The ICO says:
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

So that includes us. You may have relationships with other data processors as well.  

What changes under GDPR and what does that mean for our relationship?

The GDPR introduces direct obligations for data processors for the first time, whereas the current Directive only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims by data subjects for the first time.


Article 28 of the GDPR states:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
In other words, we need to provide you with assurance that our security processes are up to scratch and that we will provide you especially with the technical measures needed to keep your data safe.
 
In practice, this means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • be clear about who in your organisation is responsible for ensuring information security;
  • make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively.
Some of this becomes our joint responsibility under GDPR, at least to the extent that as your Data Processor we potentially become liable for breaches. But it is your duty to ensure you work with Data Processors that are themselves compliant and have appropriate data protection measures in place.

You can find out more about the ICO and Article 28 of the GDPR here

Our services are ISO 27001 compliant. For full GDPR complicance, your data will never leave UK jurisdiction - simple as that. All our secure data centres and backup facilities are based in the UK unless you request otherwise.

Security, confidentiality and data-protection are at the heart of our thinking and we maintain strong security procedures around access to all our servers and data. Our team ensures that systems we build are secure by design and our team stays up to date on secure development principles and ensures all systems have carefully considered permissions.

In adition to the initial build, we can offer annual reviews of data security and system users. Contact us to discuss your needs.