GDPR Readiness Statement
The General Data Protection Regulation (GDPR) is a Regulation of the European Union (EU) and, from June 3 2019, it applies to all organizations that collect and process the personal data of EU citizens.
Andrew Burton Driving School. recognizes the need to comply with the GDPR and ensure effective measures are in place to protect the personal data of our customers, employees and other stakeholders, and to ensure it is processed lawfully, fairly and transparently.
Commitment to the security of personal data is demonstrated through policies and the provision of appropriate resources to establish and develop effective data protection and information security controls implemented as part of our ISO 00011980694 certification.
In meeting our legal obligations, Workshare has put in place a comprehensive program to understand and validate our use of personal data and to confirm the lawful basis of our processing.
Further to this, we can confirm:
- A data protection policy is in place for the protection of personal data within Andrew Burton Driving School, which has been approved by management and communicated to all employees and other relevant people;
- All employees have received awareness training regarding data protection and the GDPR;
- Everyone understands their roles in the protection of personal data, and has received training where needed;
- We have identified the personal data we process, including where special categories are involved;
- For each occasion we process personal data, we have established the lawful basis of the processing under the GDPR;
- Where we have used the lawful basis of legitimate interest, we have conducted a documented balancing test to assess the benefits versus the impact on the data subject of the processing;
- In those cases where our processing is based on consent, we have taken steps to ensure clear, free consent has been given and is recorded, including consideration of parental consent for children;
- Tested procedures and online user facilities are in place to promptly process and fulfil data subject access requests, such as consent withdrawal, access and rectification;
- The length of time we keep personal data for, or the way we decide this, has been defined in each area of processing, and has been minimized; We are keeping records of processing as required by the GDPR;
- Where we are a controller, all of our contracts with processors have been updated to comply with the requirements of the GDPR;
- Where we act as a processor, we have contractually committed to complying with the requirements of the GDPR;
- All of our employees are subject to confidentiality obligations with respect to personal data;
- Where we transfer personal data internationally, we have ensured that the transfer is legal under the GDPR;
- Where appropriate, a data protection impact assessment approach which is line with the requirements and recommendations of the GDPR and relevant best practice, will be used;
- By default, we plan for data protection in new or changed services and systems, including minimizing our use of personal data and protecting it via techniques such as pseudonymization;
- We have tested procedures in place to fulfil our obligations in the event of a breach of personal data, both as a controller and as a processor;
- We have policies and other controls in place to provide appropriate protection of personal data, based on a careful assessment of risk;
- We have not appointed a Data Protection Officer but for data protection questions please contact: firstname.lastname@example.org
- We will continue to develop and improve our data protection policies and controls over time, guided by legal requirements and the needs and preferences of our customers and partners