Data Protection

Privacy Principles

Certus Risk Management Limited takes the protection of your personal information very seriously.  We are committed to protecting and respecting your privacy and providing you with a service that is safe, secure and trustworthy.

The General Data Protection Regulation (GDPR) applies from 25 May 2018.  GDPR supersedes the UK Data Protection Act 1998 and allows people to have greater control over how their personal data is used and to provide clearer guidance and understanding to businesses about their responsibilities.

We have reviewed and amended our current systems and procedures to prepare for the introduction of the GDPR.


We have updated our policies, processes and procedures to comply with GDPR, which includes:

  • Data Protection – an overarching framework with supporting processes and documents in place
  • Data Retention – outlining the timeframes for which data may be retained and what is required once these have been reached i.e. deletion or anonymisation
  • Records of processing – to meet the requirement for demonstrating our compliance with GDPR
  • Information Security Policy – we continually review and update our technical and managerial procedures and where applicable, enhance our processes to protect personal information from unauthorized access, accidental loss and/or destruction.
  • Privacy Policies – these have been updated and made available via our website or issued directly to data subjects as appropriate.

Data Subject Rights

We have formalised processes to address data subject rights, and complaints, to ensure they are recognised as such on receipt and that they are dealt with in the timeframes stipulated in the regulations.

We will also ensure that appropriate checks, such as identity and verification, are undertaken so that any requests are legal and lawful.

Data Protection Impact Assessments

Privacy by Design will be implemented within any new systems or processes that are introduced which will have an impact on data privacy and this will include the use of Data Protection Impact Assessments (DPIA).

DPIA will be carried out where any processing is undertaken, especially involving the use of new technology.

Lawful basis of processing

Where personal data is processed, we ensure that data minimisation is applied as far as practicable and that there is a lawful basis for any processing that is undertaken.

Third Parties

We have reviewed the processes and contracts that we have for existing and potential third parties to address our obligations in areas such as:

  • Ensuring any Personal Data they hold on our behalf is provided in compliance with the regulations;
  • Only acting on our instructions in respect of such Personal Data;
  • Outlining our requirements regarding any personal data held on termination of any contract.

For any new contracts or where amendments to existing agreements are required we have developed addendum / replacement clauses focused on data protection and GDPR.

Data Transfers

We use industry standard secure sockets layer (SSL) technology to encrypt sensitive information.  Your data will usually be processed and stored within the UK or on data servers that are located within the European Economic Area (EEA).  However on occasion, some third parties may need to store information in servers located outside of the EEA.  We take the security of your data seriously and so all our third-party arrangements have appropriate security in place that comply with all applicable legislative and regulatory requirements through appropriate contracts in place.


Certus Risk Management are certified under the UK Governments Cyber Essentials Scheme

Please be aware that communications over the internet, such as e-mails / web-mail, are not secure unless they have been encrypted. Your communications may route through several countries before being delivered and we cannot accept responsibility for any unauthorized access or loss of personal information that is beyond our control.

Our security policies include requirements such that our employees and subcontractors have appropriate access to data to enable them to fulfil their role and a recertification process is in place to ensure this access is verified and confirmed on a regular basis.


We have established a breach identification and notification process.  Our processes ensure that any breaches which affect the rights and freedoms of data subjects are recognised, actioned and escalated as required.


Our employees are required to treat all data that they have access to appropriately and are required to undertake appropriate training on a regular basis.

The training will make staff aware of the various data subject rights and what they will be required to do if any such requests are received.


You can download our Privacy Notice here:

CRM GDPR Privacy Principles – Website V4