CREST GDPR Compliance Statement
CREST (International) (hereafter referred to as CREST) is a registered company in England and Wales under number 09805375. Our registered office is Abbey House, 18-24 Stoke Road, Slough, Berkshire SL2 5AG, UK.
CREST (International) is registered with the Information Commissioner’s Office (ICO) under number ZA229721 for the processing of data.
CREST (International), which includes CREST (GB) and other CREST Chapters, embraces the General Data Protection Regulation (GDPR) which comes into force in EU Member states from 25 May 2018. The UK Government has confirmed that the UK’s departure from the European Union will not affect the commencement of the GDPR in May 2018 although there may be adjustments to its application once the UK has left the EU. The GDPR applies to processing of data carried out by organisations operating within the EU and it also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR put into practice eight rights for individuals which are:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.
To process personal data, organisations must have a lawful basis for doing so.
There is no GDPR Compliance Certificate. The ICO can audit any organisation to assess whether they are compliant or not. Failure to comply or evidence of gross data breaches can produce a fine of up to 4% of annual turnover or up to €20m fine.
This data protection statement ensures that CREST:
- Complies with GDPR and good industry practice;
- Protects the rights of individuals;
- Is transparent about how it stores and processes personal data;
- Protects itself as far as possible from the risks of a data breach.
CREST places high importance on information security, privacy and transparency and will comply with the GDPR as a processor and controller of data. We have been engaged in a programme of development to deliver the requirements of this legislation.
- Provided information to staff on what GDPR entails to ensure understanding of what data on individuals should be held or not, and how such data should be held;
- Ensured personal or sensitive data held by us is secure and compliant with legislation;
- Ensured that all individuals with whom we have contact have the option to provide data to us or not and to have any data we hold on them deleted;
- Ensured any third parties are aware of their obligations;
- Initiated an audit trail for information;
- Initiated removal procedures for the deletion or retention of data at defined intervals and will conduct regular data reviews to identify what data is no longer needed and will delete that data;