Skip to main content

General Data Protection Regulation

Official Statement: EU GDPR Compliance

At experienz, we are committed to providing our customers with transparency regarding our privacy practices and compliance with UK privacy regulations, Data Protection Act 2018. We value your trust and are dedicated to protecting your privacy.

Our commitment to protecting the privacy of our customer’s data includes:

  • Compliance to the UK General Data Protection Regulations (GDPR) –  Data Protection Act 2018
  • Having ISO 9001 – Quality Management System
  • Having ISO 27001 – Information Security Management
  • Assessment of customer projects at inception to ensure privacy is part of the proposals and designs, using Data Protection Impact Assessment (DPIA) principles. experienz supports our customers’ need to be compliant with the  Data Protection Act 2018 also known as GDPR  that took effect on May 25, 2018.

What is GDPR?

GDPR is the new European privacy law that replaces the EU Data Protection Directive. The UK updated it’s laws with the Data Protection Act 2018 which is also known as UK GDPR and is likely to be updated following Brexit.  experienz will look to comply with UK directives as they are published. The law requires that businesses protect the privacy and personal data of UK citizens and transactions that occur within UK member states.

What is “personal data”?

Personal data is any data that relates to an identified or identifiable natural person. Examples of personal data includes identifiers such as name, location data, and unique online identifiers.

How did experienz prepare for GDPR?

The General Data Protection Regulation (GDPR) became enforceable in the European Union in May 2018 and the UK now operates under the Data Protection Act 2018 – experienz is fully compliant with this regulation.  Our teams carried out data audits of our own employee data and carried this through to our project assessments. We reviewed our entire product suite and business practices ensuring we could fully support our customers with GDPR compliance.  We understand that personal data is the property of the individual and the need to respect their rights as well as being legally compliant.

How experienz help customers comply with GDPR

Know where your customers are geographically located: The UK GDPR applies to UK citizens and transactions that occur within UK member states. Therefore, to ensure that you are compliant with these regulations, you must be able to determine where your customers are located.  There are different regulatory enforcement bodies in each member state. Any International transfers also need to be covered by any local laws, such as Privacy Shield in the US. If data is transferred or processed outside of the UK or in countries without safeguards then experienz will look to ensure adequate security and practices are put in place to protect the privacy of personal information.

Know where your customers are geographically located: The UK GDPR applies to UK citizens and transactions that occur within UK member states. Therefore, to ensure that you are compliant with these regulations, you must be able to determine where your customers are located.  There are different regulatory enforcement bodies in each member state. Any International transfers also need to be covered by any local laws, such as Privacy Shield in the US. If data is transferred or processed outside of the UK or in countries without safeguards then experienz will look to ensure adequate security and practices are put in place to protect the privacy of personal information.

Ensure that appropriate consent is obtained: GDPR favors the use of opt-in consent mechanisms (explicit consent) e.g. unselected checkbox over opt-out consent mechanisms (implied consent) e.g pre-selected checkbox. Additionally, data subjects (your customers) should be able to withdraw their consent as easily as it was given and have their personal data erased.  This does not include information that is required to complete a contract or has a legal requirement, however, this needs to be identified and made clear.

Develop data breach response plans when personal data is involved: Organisations should have a clear, defined plan if personal data is breached. GDPR requires that notice must be provided without undue delay and, where feasible, not later than 72 hours after having become aware of it. experienz Innovation will notify affected customers without undue delay if we become aware of a data breach of our services.

Hire a Data Protection Officer (“DPO”): GDPR makes the appointment of a DPO mandatory in some situations when the activities of the data controller involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as those revealing racial or ethnic origin, political opinions, or religious or philosophical beliefs). The DPO should have expert knowledge of data protection (privacy) law and practices.  In experienz we have a Data Protection Lead but as a processor of client data on the whole we haven’t appointed a DPO. Our Data Protection Lead and architects will work with Clients and their DPO’s as required to ensure privacy is protected, breaches are investigated and reported as required, access requests and right to be forgotten requests are complied with in a timely manner.

experienz Marketing

experienz customers and potential customers can modify/delete information by several mechanisms:

  • Account leads can modify and delete information
  • All Marketing information contains an opt out or unsubscribe link
  • Contact us using the contact details on our website experienz.co.uk