Data Protection Compliance Statement
On 25 May 2018 a new set of data protection legislation came into force across the EU and within
the UK which is comprised of the General Data Protection Regulation (GDPR) and the Data Protection
Act 2018 (DPA). These new laws apply to all public bodies, businesses, organisations
and entities that process personal data. This ensures a single standard of data protection to all
EU citizens and places a number of obligations and standards on entities across worldwide with the
goal of protecting individuals and their data.
iPassport Ltd is committed to ensuring the security and protection of the
personal information that we process, and to provide a compliant and consistent approach
to data protection. We recognise our obligations in updating and expanding this program to meet
the demands of the GDPR and the Data Protection Act 2018.
iPassport Ltd are dedicated to safeguarding the personal information and maintaining a
data protection regime that is eﬀective, ﬁt for purpose and demonstrates an understanding of, and
appreciation for the legislation as well as providing a service which enforces and
protects individuals. Our objectives for GDPR compliance have been summarised in this
statement and include the development and implementation of new data protection roles, policies,
procedures, controls and measures to ensure maximum protection to personal data as well as taking a
continuous view to improving these standards with the development of technology and other measures.
How we are prepared for Data Protection Legislation
iPassport Ltd already have a consistent level of data protection and security across
our organisation, however it is our aim to remain fully compliant with the legislation
and continue to upgrade these systems with advancements in technology.
Our preparation included:
- Information Audit - carrying out a company-wide information audit to identify and
assess what personal information we hold, where it comes from, how and why it is processed and if
and to whom it is disclosed.
- Policies & Procedures - implementing new data protection policies and procedures to meet
the requirements and standards of the GDPR and any relevant data protection
- Data Protection – our main policy and procedure document for data protection
has been developed to meet the standards and requirements of the GDPR.
- Data Retention & Erasure – we have updated our retention policy and schedule to
ensure that we implement the ‘data minimisation’ and ‘storage limitation’ principles and
that personal information is stored, archived and destroyed compliantly and ethically. We
have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are
aware of when this and other data subject’s rights apply; along with any exemptions,
response timeframes and notiﬁcation responsibilities.
- Data Breaches – our breach procedures ensure that we have safeguards and measures in place to
identify, assess, investigate and report any personal data breach at the earliest possible time.
Our procedures are robust and have been disseminated to all employees, making them aware of the
reporting lines and steps to follow.
- International Data Transfers & Third-Party Disclosures – iPassport Ltd does not currently store
or transfer personal data outside of the EU however where we were to do so in the future
this would only be done where robust procedures and safeguarding procedures are in
place to secure, encrypt and maintain the integrity of the data. Our procedures include a
continual review of countries deemed suﬀiciently adequate by the EU as well as the use
of standard data protection clauses alongside carrying out speciﬁc due diligence of all
recipients of personal data to access and verify that they have the appropriate
safeguards in place to protect the information, ensure enforceable data subject rights and have
eﬀective legal remedies for data subjects where applicable.
- Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the
revised 30-day timeframe for providing the requested information and for making this
provision free of charge. Our new procedures detail how to verify the data subject, what
steps to take for processing an access request, what exemptions apply and a suite of
response templates to ensure that communications with data subjects are compliant, consistent and
- Legal Basis for Processing - we review all processing activities to identify the legal basis
for processing and ensuring that each basis is appropriate for the activity it relates
to. Where applicable, we also maintain records of our processing activities, ensuring
that our obligations under Article 30 of the GDPR and Schedule 1 of the DPA are met.
- Data Protection – our main policy and procedure document for data protection
- Privacy Notice/Policy – we have revised our Privacy Notice(s) to comply with the
GDPR, ensuring that all individuals whose personal information we process have been informed of why
we need it, how it is used, what their rights are, who the information is disclosed to and
what safeguarding measures are in place to protect their information.
- Obtaining Consent – we have revised our consent mechanisms, ensuring that
individuals understand what they are providing, why and how we use it and giving
clear, deﬁned ways to consent to us processing their information.
- Data Protection Impact Assessments (DPIA) – where we process personal
information that is considered high risk, involves large scale processing or includes
special category/criminal conviction data; we have developed stringent procedures and
assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article
- Special Categories Data - where we obtain and process any special category
information, we do so in complete compliance with the Article 9 requirements and have
high-level encryptions and protections on all such data. Special category data is only processed
where necessary and is only processed where we have ﬁrst identiﬁed the appropriate Article 9(2)
basis or the Data Protection Act Schedule 1 condition. Where we rely on consent for
processing, this is explicit and is veriﬁed by, user consent, with the right to modify or
remove consent being clearly indicated.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can
enforce their data protection rights, we provide easy to access information via our website of an
individual’s right to access any personal information that iPassport Ltd processes about them and
to request information about: -
• What personal data we hold about them
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long we intend to store your personal data for
• If we did not collect the data directly from them, information about the source
• The right to have incomplete or inaccurate data about them corrected or completed and the
process for requesting this
• The right to request erasure of personal data (where applicable) or to restrict
processing in accordance with data protection laws
• The right to lodge a complaint or seek judicial remedy and who to contact in
Information Security & Technical and Organisational Measures
iPassport Ltd takes the privacy and security of all information very seriously and take every
reasonable measure and precaution to protect and secure the personal data that we process. We have
robust information security policies and procedures in place to protect personal
information from unauthorised access, alteration, disclosure or destruction and have several layers
of security measures, including: - SSL, access controls, password policy, encryptions,
pseudonymisation, practices, restriction, IT, authentication.
Roles and Employees
iPassport Ltd have a designated Data Protection Oﬀicer and have appointed a data privacy team to
develop and implement our roadmap for complying with the new data protection legislation. The team
are responsible for promoting awareness of the legislation across the organisation, assessing our
GDPR readiness, identifying any gap areas and implementing the new policies, procedures and
We are also working with Acumen Business Law, whose data protection experts oversee and guide us in
delivering business & process changes to ensure our ongoing compliance.
If you have any questions about our preparation for the legislation, please contact our Data
Protection Oﬀicer at:
Metropolitan House 38-40 High Street Croydon
Greater London CR0 1YB