Skip to the content

GDPR Statement

Data Protection Compliance Statement


On 25 May 2018 a new set of data protection legislation came into force across the EU and within
the UK which is comprised of the General Data Protection Regulation (GDPR) and the Data Protection
Act 2018 (DPA). These new laws apply to all public bodies, businesses, organisations
and entities that process personal data. This ensures a single standard of data protection to all
EU citizens and places a number of obligations and standards on entities across worldwide with the
goal of protecting individuals and their data.

Our Commitment
iPassport Ltd is committed to ensuring the security and protection of the
personal information that we process, and to provide a compliant and consistent approach
to data protection. We recognise our obligations in updating and expanding this program to meet
the demands of the GDPR and the Data Protection Act 2018.

iPassport Ltd are dedicated to safeguarding the personal information and maintaining a
data protection regime that is effective, fit for purpose and demonstrates an understanding of, and
appreciation for the legislation as well as providing a service which enforces and
protects individuals. Our objectives for GDPR compliance have been summarised in this
statement and include the development and implementation of new data protection roles, policies,
procedures, controls and measures to ensure maximum protection to personal data as well as taking a
continuous view to improving these standards with the development of technology and other measures.

How we are prepared for Data Protection Legislation
iPassport Ltd already have a consistent level of data protection and security across
our organisation, however it is our aim to remain fully compliant with the legislation
and continue to upgrade these systems with advancements in technology.

Our preparation included:

  • Information Audit - carrying out a company-wide information audit to identify and
    assess what personal information we hold, where it comes from, how and why it is processed and if
    and to whom it is disclosed.
  • Policies & Procedures - implementing new data protection policies and procedures to meet
    the requirements and standards of the GDPR and any relevant data protection
    laws, including:
    • Data Protection – our main policy and procedure document for data protection
      has been developed to meet the standards and requirements of the GDPR.
    • Data Retention & Erasure – we have updated our retention policy and schedule to
      ensure that we implement the ‘data minimisation’ and ‘storage limitation’ principles and
      that personal information is stored, archived and destroyed compliantly and ethically. We
      have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are
      aware of when this and other data subject’s rights apply; along with any exemptions,
      response timeframes and notification responsibilities.
    • Data Breaches – our breach procedures ensure that we have safeguards and measures in place to
      identify, assess, investigate and report any personal data breach at the earliest possible time.
      Our procedures are robust and have been disseminated to all employees, making them aware of the
      reporting lines and steps to follow.
    • International Data Transfers & Third-Party Disclosures – iPassport Ltd does not currently store
      or transfer personal data outside of the EU however where we were to do so in the future
      this would only be done where robust procedures and safeguarding procedures are in
      place to secure, encrypt and maintain the integrity of the data. Our procedures include a
      continual review of countries deemed sufficiently adequate by the EU as well as the use
      of standard data protection clauses alongside carrying out specific due diligence of all
      recipients of personal data to access and verify that they have the appropriate
      safeguards in place to protect the information, ensure enforceable data subject rights and have
      effective legal remedies for data subjects where applicable.
    • Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the
      revised 30-day timeframe for providing the requested information and for making this
      provision free of charge. Our new procedures detail how to verify the data subject, what
      steps to take for processing an access request, what exemptions apply and a suite of
      response templates to ensure that communications with data subjects are compliant, consistent and
    • Legal Basis for Processing - we review all processing activities to identify the legal basis
      for processing and ensuring that each basis is appropriate for the activity it relates
      to. Where applicable, we also maintain records of our processing activities, ensuring
      that our obligations under Article 30 of the GDPR and Schedule 1 of the DPA are met.
  • Privacy Notice/Policy – we have revised our Privacy Notice(s) to comply with the
    GDPR, ensuring that all individuals whose personal information we process have been informed of why
    we need it, how it is used, what their rights are, who the information is disclosed to and
    what safeguarding measures are in place to protect their information.
  • Obtaining Consent – we have revised our consent mechanisms, ensuring that
    individuals understand what they are providing, why and how we use it and giving
    clear, defined ways to consent to us processing their information.
  • Data Protection Impact Assessments (DPIA) – where we process personal
    information that is considered high risk, involves large scale processing or includes
    special category/criminal conviction data; we have developed stringent procedures and
    assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article
    35 requirements.
  • Special Categories Data - where we obtain and process any special category
    information, we do so in complete compliance with the Article 9 requirements and have
    high-level encryptions and protections on all such data. Special category data is only processed
    where necessary and is only processed where we have first identified the appropriate Article 9(2)
    basis or the Data Protection Act Schedule 1 condition. Where we rely on consent for
    processing, this is explicit and is verified by, user consent, with the right to modify or
    remove consent being clearly indicated.

Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can
enforce their data protection rights, we provide easy to access information via our website of an
individual’s right to access any personal information that iPassport Ltd processes about them and
to request information about: -
• What personal data we hold about them
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long we intend to store your personal data for
• If we did not collect the data directly from them, information about the source
• The right to have incomplete or inaccurate data about them corrected or completed and the
process for requesting this
• The right to request erasure of personal data (where applicable) or to restrict
processing in accordance with data protection laws
• The right to lodge a complaint or seek judicial remedy and who to contact in
such instances

Information Security & Technical and Organisational Measures
iPassport Ltd takes the privacy and security of all information very seriously and take every
reasonable measure and precaution to protect and secure the personal data that we process. We have
robust information security policies and procedures in place to protect personal
information from unauthorised access, alteration, disclosure or destruction and have several layers
of security measures, including: - SSL, access controls, password policy, encryptions,
pseudonymisation, practices, restriction, IT, authentication.

Roles and Employees
iPassport Ltd have a designated Data Protection Officer and have appointed a data privacy team to
develop and implement our roadmap for complying with the new data protection legislation. The team
are responsible for promoting awareness of the legislation across the organisation, assessing our
GDPR readiness, identifying any gap areas and implementing the new policies, procedures and

We are also working with Acumen Business Law, whose data protection experts oversee and guide us in
delivering business & process changes to ensure our ongoing compliance.
If you have any questions about our preparation for the legislation, please contact our Data
Protection Officer at:
Metropolitan House 38-40 High Street Croydon
Greater London CR0 1YB

iPassport currently has two solutions; Cognosco and Stashd. They can can be used independently or can work alongside each other. For more information please visit our websites.