GDPR Compliance and Appraisd

20 January 2018

On 25 May 2018, the General Data Protection Regulations (GDPR) will come into force in the UK.

From this date, all UK businesses must be compliant with the new regulations or face considerable fines. At Appraisd we are taking steps now to ensure we are fully GDPR compliant well before this date. This page explains at a high level how we are addressing some of the requirements.

Please note that you should seek your own legal advice. Information provided by us must not be considered legal advice.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of subjects for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders

At Appraisd we have taken or are taking the following steps to address the new requirements:

We are updating our Terms and Conditions to include new clauses on GDPR and data processing. The following documents are also available

Requiring the consent of subjects for data processing

Our Terms and Conditions are being amended to ensure that consent of the data subject has been obtained by the Customer. When consent is withdrawn, features in Appraisd will make it easy for a Customer Administrator to permanently delete or anonymise user data. We will also be providing features to ensure Customers can respond to Data Subject Access Requests.

Anonymizing collected data to protect privacy

We will providing tools to enable Customers' Administrators to anonymise personal data in Appraisd where possible. Where not possible, Customers will be able to permanently delete personal data.

Providing data breach notifications

We will provide timely notification in the event of any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any personal data. This is detailed in our Data Processing Agreement.

Safely handling the transfer of data across borders

We use state of the art technology and best practice to ensure the safety of your data. All Appraisd customer data is stored in Microsoft Azure datacentres in the UK that are ISO27001 and ISO/IEC 27018 certified. All data is encrypted at rest and in transit. Where data crosses EU borders it is transferred using appropriate EU model clauses and other contractual assurances.

Your responsibilities as a customer

As a customer of Appraisd, you will act as the data controller for personal data you use and provide to Appraisd as part of your usage of the service. Appraisd is a data processor and processes data on behalf of you, the data controller. As a data controller, you will have obligations under GDPR concerning lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as obligations to fulfil data subjects’ rights with respect to their data. These responsibilities are detailed in our Data Processing Agreement.

Data standards and certifications

We are currently in the process of achieving ISO27001 certification which will provide independently-veriried assurance of our security practices. We estimate certification to be achieved by Q2 2019