Q: Please describe the steps which you have taken to comply with the General Data Protection Regulation (GDPR)?

A: To comply with the General Data Protection Regulation (GDPR), we have taken several steps:

1. Breach Notification Procedures: We have defined procedures for notifying appropriate parties of a breach of sensitive information. For personal data breaches in the UK and Europe, where we are the controller, we notify the Information Commissioners Office (ICO) without undue delay, and where feasible, not later than 72 hours after becoming aware of it. The notification includes the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the measures taken to mitigate harm.

2. Risk Management: We regularly review internal and external risk factors, including employee behaviour, policy lapses, technological vulnerabilities, cyber-attacks, market changes, and regulatory developments. We have also activated the Drata compliance framework and rolled out PC monitoring from Drata.

3. Security Awareness Training: We have selected a security awareness training platform and have started the 2024 security compliance program.

4. Policy Review: We have a defined breach notification policy that establishes the requirements and procedures for reporting a breach of sensitive information. We also conduct an annual review of our privacy policy to ensure that personal information is used in conformity with the purposes identified in the privacy notice.