As of 25 May 2018 the General Data Protection Regulations (GDPR) came into force in the UK.
All UK businesses must be compliant with the new regulations or face considerable fines. At Appraisd we have taken steps to ensure we are fully GDPR compliant. This page explains at a high level how we have addressed some of the requirements.
Please note that you should seek your own legal advice. Information provided by us must not be considered legal advice.
Some of the key privacy and data protection requirements of the GDPR include:
Our Terms and Conditions contain clauses that relate to GDPR. We also provide the following supporting information:
Our Terms and Conditions ensure that consent of the data subject has been obtained by the Customer. When consent is withdrawn, features in Appraisd will make it easy for a Customer Administrator to permanently delete or anonymise user data. We will also be providing features to ensure Customers can respond to Data Subject Access Requests.
We provide tools and support to enable Customers' Administrators to anonymise personal data in Appraisd where possible. Where not possible, Customers will be able to permanently delete personal data.
We will provide timely notification in the event of any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any personal data. This is detailed in our Data Processing Agreement.
We use state of the art technology and best practice to ensure the safety of your data. All Appraisd customer data is stored in Microsoft Azure datacentres in the UK that are ISO27001 and ISO/IEC 27018 certified. All data is encrypted at rest and in transit. Where data crosses EU borders it is transferred using appropriate EU model clauses and other contractual assurances.
As a customer of Appraisd, you will act as the data controller for personal data you use and provide to Appraisd as part of your usage of the service. Appraisd is a data processor and processes data on behalf of you, the data controller. As a data controller, you will have obligations under GDPR concerning lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as obligations to fulfil data subjects’ rights with respect to their data. These responsibilities are detailed in our Data Processing Agreement.
We are proud to have achieved ISO27001:2017 certification which provides independently-verified assurance of our security practices against an internationally recognised set of standards as well as a commitment to self improvement.