Certus Data Protection Policy

Privacy Principles

Certus Risk Management Limited takes the protection of your personal information very seriously.  We are committed to protecting and respecting your privacy and providing you with a service that is safe, secure and trustworthy.

Certus are accredited with ISO/IEC 27001:2013 Certification for Information Security Management.

ISO 27001:2013 Certification demonstrates our ongoing commitment to robust security practices and risk management. By bench-marking our policies and procedures against this internationally recognised Information Security Management System Standard, our customers, employees and consultants can be assured of the resilience and excellence of our service.

The General Data Protection Regulation (GDPR) have applied since 25 May 2018.  GDPR supersedes the UK Data Protection Act 1998 and allows people to have greater control over how their personal data is used and to provide clearer guidance and understanding to businesses about their responsibilities.

Our policies, processes and procedures comply with GDPR, including:

  • Data Protection – an overarching framework with supporting processes and documents in place
  • Data Retention – outlining the timeframes for which data may be retained and what is required once these have been reached i.e. deletion or anonymisation
  • Records of processing – to meet the requirement for demonstrating our compliance with GDPR
  • Information Security Policy – we continually review and update our technical and managerial procedures and where applicable, enhance our processes to protect personal information from unauthorized access, accidental loss and/or destruction.
  • Privacy Policies – these are available via our website or issued directly to data subjects as appropriate.

We have formalised processes to address data subject rights, and complaints, to ensure they are recognised as such on receipt and that they are dealt with in the timeframes stipulated in the regulations.

We will also ensure that appropriate checks, such as identity and verification, are undertaken so that any requests are legal and lawful.

Privacy by Design will be implemented within any new systems or processes that are introduced which will have an impact on data privacy and this will include the use of Data Protection Impact Assessments (DPIA).

DPIA will be carried out where any processing is undertaken, especially involving the use of new technology.

Where personal data is processed, we ensure that data minimisation is applied as far as practicable and that there is a lawful basis for any processing that is undertaken.

We ensure any Personal Data held on our behalf is provided in compliance with the regulations;

Only acting on our instructions in respect of such Personal Data;
Outlining our requirements regarding any personal data held on termination of any contract.

We use industry standard secure sockets layer (SSL) technology to encrypt sensitive information.  Your data will usually be processed and stored within the UK or on data servers that are located within the European Economic Area (EEA).  However on occasion, some third parties may need to store information in servers located outside of the EEA.  We take the security of your data seriously and so all our third-party arrangements have appropriate security in place that comply with all applicable legislative and regulatory requirements through appropriate contracts in place.

Please be aware that communications over the internet, such as e-mails / web-mail, are not secure unless they have been encrypted. Your communications may route through several countries before being delivered and we cannot accept responsibility for any unauthorized access or loss of personal information that is beyond our control.

Our security policies include requirements such that our employees and subcontractors have appropriate access to data to enable them to fulfil their role and a recertification process is in place to ensure this access is verified and confirmed on a regular basis.

We have established a breach identification and notification process.  Our processes ensure that any breaches which affect the rights and freedoms of data subjects are recognised, actioned and escalated as required.

Our employees are required to treat all data that they have access to appropriately and are required to undertake appropriate training on a regular basis.

The training will make staff aware of the various data subject rights and what they will be required to do if any such requests are received.

You can download our Privacy Notice here: