Our Approach to the GDPR
The EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.
The new Regulation aims to standardise data protection laws and processing across the EU, giving people greater rights to access and control their personal data.
BoardRoom is committed to ensuring the security and protection of the personal data that we process, and to provide a compliant and consistent approach to data protection. While we already have a consistent level of data protection and security across the countries where we operate, we recognise that our clients operate all over the world and we continue to monitor developments to expand this program to meet the requirements of GDPR.
To this end, we have created this statement to explain our approach to implementing our GDPR compliance program. It describes the implementation of our data protection roles, policies, procedures, controls and measures to ensure ongoing compliance with GDPR.
Our GDPR Principles
BoardRoom takes the privacy and security of individuals and their personal data very seriously. We only collect personal data in connection with providing our services and running our business. Our principles for processing personal data are:
- We will process all personal data fairly and lawfully
- We will only process personal data for specified and lawful purposes
- Where practical, we will keep personal data up to date
- We will not keep personal data for longer than is necessary
Data Subjects Rights under GDPR
At BoardRoom, we will assist our client when an individual, who is a EU data subject to which the GDPR applies, requests information (which we collect on behalf of that client) about:
- What personal data we hold about an individual
- The categories of personal data we collect from an individual
- The purposes for collecting and processing personal data from an individual
- How long we plan to keep the personal data
- The process to have incomplete or inaccurate personal data corrected or completed
- Where applicable, the process for requesting erasure of the personal data or for restricting the processing of personal data in accordance with data protection laws, as well as to object to any direct marketing from us
- Whether the personal data has been used to make an automated decision
Our GDPR Compliance Plan
As part of our GDPR journey, we have taken the following steps:
- Information Audit — We have carried out an audit and we will continue to conduct data mapping inventory and analysis of collected personal data in our systems and records.
- Policies and Procedures — We have established procedures and policies to restrict retention and processing of personal data in accordance with “data minimisation” and “storage limitation” principles. Accountability and governance measures are in place, with a dedicated focus on privacy and the rights of individuals.
- Data Breaches — We have safeguards in place to identify, assess, investigate and report any personal data breach. Our procedures have been explained to all employees.
- Third Party Measures — Where third-parties are used to process personal data on our behalf, we require them to comply with our data privacy policies and GDPR requirements.
- International Data Transfers and Third-Party Disclosures – While we do not transfer personal data outside the EU, we have robust procedures in place to secure the integrity of the data. Our procedures include a continual review of the countries which we operate in.
Contact us if you have GDPR related questions
If you have any questions about this Statement, or our privacy or security practices, please contact us: