This document outlines some of the steps that we have taken from January 2017 in order to comply with the EU General Data Protection Regulation ("GDPR").

Working towards GDPR compliance

We take privacy and data protection seriously. As part of our commitment to protect the personal information of our customers, suppliers and other persons with whom we interact, we have been actively preparing for GDPR since the start of 2017.

Our preparations involved a significant amount of activity by individuals and teams within our organisation. In addition, we established a new team, the Data Governance Authority, which was tasked with ensuring our compliance. Examples of our GDPR compliance activities to date include:

  • Instruction of external consultancy specialists for a ‘Gap Analysis’
  • Selected staff attending external GDPR workshops and conferences
  • Our Chief Information Officer (“CIO”) and ‘IS Business Change Consultant’ both successfully completing and passing GDPR Practitioner Course and the IBITGQ EU GDPR exam
  • GDPR Foundation course training for specifically identified staff
  • Data mapping exercise: documenting personal data flows within the organisation
  • The Data Governance Authority met weekly to plan and coordinate our compliance work on GDPR
  • Communication of GDPR requirements to relevant individuals and teams within our organisation

Training and awareness

We have put in place measures to ensure that individuals and teams within our organisation are appropriately trained and aware of GDPR, including the changes we are making to internal policies, processes, procedures and terms and conditions

Policy, process and procedure review

The Data Governance Authority has reviewed all appropriate policies, processes and procedures. Key examples of these are listed in ‘Personal Data Procedures and Work Instructions’ below.

Terms and conditions review

We have reviewed and updated our terms and conditions to ensure that GDPR contractual requirements are included in contracts between us and our customers, suppliers and subcontractors.

Data Protection Officer

Our organisation is not required to have a Data Protection Officer (DPO). However, we do place considerable importance on data security and privacy and have therefore ensured that we have a data protection lead (performed by the CIO) and the Data Governance Authority. Our CIO reports to our Operational Management Team on GDPR regularly.

Information Security

The importance we place on data security and privacy can be seen in our certifications. For example, we are certified in relation to ISO 27001 and Cyber Essentials Plus. Both of these have ensured a well-established approach to ‘Security by Design and Default’ which help underpin our approach to the security aspects of GDPR.

Esri Inc and ArcGIS Online compliance

We are an authorised distributor of Esri technology, including the Esri ArcGIS platform.

Esri technology is proprietary to Environmental Systems Research Institute Inc. (“Esri” or “Esri Inc”), a company based in the United States of America. Typically the ArcGIS products that you purchase from us will be hosted by you.

However, the ArcGIS Online software as a service product operates from servers located in the United States of America. We have therefore been working with Esri Inc to ensure compliance with GDPR, specifically in relation to ArcGIS Online.

Esri Inc has published several documents which relate to this, and which can be found via the following links:

Personal Data Procedures and Work Instructions

A list of some of our related relevant policies, procedures and work instructions is provided below.