GDPR Compliance

Last updated: January 2024

1. Our Commitment to GDPR

Espiar is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. As a cybersecurity consultancy handling sensitive client data, we implement the highest standards of data protection and privacy.

Our approach: Privacy by design and by default in all our processes and systems.

2. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contractual Necessity (Article 6(1)(b)): Processing required to perform penetration testing services
  • Legitimate Interest (Article 6(1)(f)): Security monitoring and fraud prevention
  • Consent (Article 6(1)(a)): Marketing communications (where explicitly given)
  • Legal Obligation (Article 6(1)(c)): Compliance with financial and professional regulations

3. Data Protection Principles

We ensure all personal data processing adheres to GDPR principles:

Lawfulness & Fairness

All processing based on valid legal grounds with transparent purposes

Purpose Limitation

Data collected only for specified, legitimate cybersecurity purposes

Data Minimization

Only essential data collected for penetration testing activities

Accuracy

Regular verification and correction of personal data

Storage Limitation

Data retained only as long as necessary for stated purposes

Security

Industry-leading technical and organizational security measures

4. Your Rights Under GDPR

As a data subject, you have comprehensive rights regarding your personal data:

  • Right of Access (Article 15): Request copies of your personal data
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Request deletion of your personal data
  • Right to Restrict Processing (Article 18): Limit how we use your data
  • Right to Data Portability (Article 20): Receive your data in a structured format
  • Right to Object (Article 21): Object to certain types of processing
  • Rights Related to Automated Processing (Article 22): Protection from automated decision-making

Response Time: We respond to all rights requests within 30 days (or 60 days for complex requests).

5. Special Category Data Protection

While we primarily process business and technical data, we may encounter special category data during penetration testing:

  • Identification: Immediate flagging of any special category data discovered
  • Segregation: Isolated handling with additional security controls
  • Minimization: Processing limited to absolute security testing necessity
  • Disposal: Secure deletion prioritized for such data

6. Data Security Measures

We implement technical and organizational measures exceeding GDPR requirements:

Technical Safeguards

  • End-to-end encryption (AES-256)
  • Multi-factor authentication
  • Regular security assessments
  • Secure development practices
  • Network segregation

Organizational Safeguards

  • Staff privacy training
  • Access control policies
  • Data handling procedures
  • Incident response plans
  • Regular audits and reviews

7. Data Processing Records

We maintain comprehensive records of all data processing activities including:

  • Processing Purpose: Clear documentation of why data is processed
  • Data Categories: Types of personal data involved
  • Data Subjects: Categories of individuals affected
  • Recipients: Who has access to the data
  • Retention Periods: How long data is kept
  • Security Measures: Technical and organizational safeguards applied

8. Data Protection Impact Assessments

We conduct DPIAs for all high-risk processing activities:

  • Systematic Assessment: Evaluation of privacy risks for each engagement
  • Risk Mitigation: Implementation of additional safeguards where needed
  • Stakeholder Consultation: Client involvement in privacy risk assessments
  • Documentation: Comprehensive records of all DPIAs conducted

9. Data Breach Response

Our incident response procedures ensure GDPR compliance:

  • Detection & Assessment: Immediate identification and evaluation of breaches
  • Containment: Rapid action to limit breach impact
  • Notification to Authorities: ICO notification within 72 hours (where required)
  • Individual Notification: Direct communication to affected individuals (where required)
  • Documentation: Comprehensive breach logs and lessons learned

10. Third-Party Data Sharing

When we engage subprocessors or share data with third parties:

  • Due Diligence: Thorough vetting of all third parties
  • Data Processing Agreements: Binding contracts ensuring GDPR compliance
  • Regular Audits: Ongoing monitoring of third-party compliance
  • Data Transfer Safeguards: Appropriate measures for international transfers

11. International Data Transfers

When transferring data outside the UK/EEA, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: EU-approved contractual protections
  • Binding Corporate Rules: Internal policies for multinational organizations
  • Certification Schemes: Recognized privacy certification programs

12. Data Protection Officer

Our Data Protection Officer (DPO) ensures ongoing GDPR compliance:

DPO Contact: dpo@espiar.co.uk

Responsibilities: Privacy compliance, training, and data subject rights

Independence: Direct reporting to senior management

Availability: Accessible for privacy concerns and guidance

13. Regular Compliance Reviews

We conduct ongoing assessments to ensure continued GDPR compliance:

  • Annual Privacy Audits: Comprehensive review of all processing activities
  • Policy Updates: Regular revision of privacy policies and procedures
  • Staff Training: Ongoing education on privacy requirements
  • Technology Reviews: Assessment of new tools and systems

14. Contact Information

For GDPR-related questions or to exercise your rights:

Data Protection Officer: dpo@espiar.co.uk

Privacy Inquiries: privacy@espiar.co.uk

General Contact: security@espiar.co.uk

Supervisory Authority: Information Commissioner's Office (ICO)

ICO Website: ico.org.uk

Back to Home