NDC Global Auditors Brings Training Services to Wiltshire

It’s been a busy and exciting start to the year for us here at NDC Global Auditors. In February, we moved from our Swindon offices to Trowbridge, where we have set up a Wiltshire Training Academy. Businesses across Wiltshire can now access a wide range of open access training courses that will help them to stay legally compliant.

Helping You to Achieve ISO and GDPR Compliance

Businesses are increasingly under pressure to demonstrate legal compliance in areas such as quality, information security, environmental management, and health and safety. Achieving ISO certification allows businesses to demonstrate best practice and strive for continual improvement. More and more organisations are recognising this, and the need to put systems and training in place to protect their business. In response to this growing need, NDC has expanded its service offering to help businesses achieve their goals across all core areas of legal compliance.

What’s New?

Open Access Courses

In addition to our on-site consultancy and training services, we now offer a full range of open access training courses at our Wiltshire Training Academy, and at the Pilgrims Academy in Redhill, Surrey.

Our courses cover all aspects of compliance in relation to:

  • Information security
  • Health, Safety, Fire and First Aid
  • Environmental Management
  • ISO Standards

You can find our full range of training services on our website.

Information Security and GDPR Services

With the GDPR on the horizon, and the increasing sophistication of cyber-crime technology, information security is a growing concern for businesses of all types and sizes. To help our clients protect this aspect of their business, we have expanded our services to include ISO 27001 Information Security Management, and in particular, support for the new GDPR.

For more information on our consultancy and training services, please email info@ndcmanagement.co.uk or call us on 0333 939 8797.

Do the Control of Asbestos Regulations 2012 Affect My Business?

Asbestos awareness is vital.  According to the Health and Safety Executive (HSE), asbestos kills around 5000 workers each year – more than the number of people killed on roads.  When employers fail to comply with the Control of Asbestos Regulations 2012 it can be life-threatening, resulting in prosecution and potentially catastrophic fines.

Why is asbestos dangerous?

If materials containing asbestos are disturbed, then toxic fibres are released into the air.  These fibres don’t have an immediate affect but can cause fatal conditions like asbestosis, which is a lung disease, and asbestos-related lung cancers.  These diseases are not often diagnosed until it’s too late.  Protect yourself and your workers by building asbestos awareness.  You don’t necessarily need to remove asbestos.  You do, however, need to identify and manage asbestos so that it never presents a health hazard.

Am I responsible for the asbestos in my building?

Under the regulations, if you own your premises, then you are responsible.  If you are a tenant, then you might still be accountable.  Under your tenancy agreement, if you are responsible for alterations, repairs and maintenance then you are also responsible for asbestos control.  If you share maintenance duties with the owner or other occupiers of the building, then you are jointly accountable.

What happens if my employees encounter asbestos while working on or off site?

Employees need to be made aware that they should stop work immediately if they suspect asbestos is present.  Asbestos work can only be carried out by a non-licensed contractor where appropriate information, instruction and training have been given.  Under the Control of Asbestos Regulations 2012 the majority of employers working with asbestos need a license.  Employers have a legal duty to provide instruction and training to employees who are likely to come across asbestos.

What happens when the Control of Asbestos Regulations 2012 are breached?

In August this year a Wigan building contractor was fined nearly £8,000 for breaching regulations.  His work resulted in asbestos contamination of somebody’s home.  The owners couldn’t enter their house for a week while a £12,000 clean-up operation was carried out.  HSE Inspector David Norton said: ‘This incident could so easily have been avoided by simply carrying out correct control measures and safe working practices. Companies and individuals should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards’.

Understand your legal duties by reading the regulations on the HSE website.

How do I detect asbestos?

Asbestos can be found in any building built before 2000.  If in doubt, always assume the building contains asbestos.  The HSE website contains several images to help you to detect the substance.  However, it’s difficult to identify because it’s often mixed in with other materials.  You can pay an external asbestos licensed contractor to carry out a search.

How can I raise my employees’ awareness about working safely with asbestos?

NDC Global Auditors offers a half-day Asbestos Awareness course which will help you and your employees to detect asbestos, stay safe and stay legal.  Our course can be delivered on-site to your team, or your employees can attend an open access course at our Wiltshire or Surrey-based training centres.

Benefits of NDC’s Asbestos Awareness course:

As well as learning the dangers of asbestos, you will discover how to identify the different types and locations of asbestos in the workplace and on customers’ sites.  The course thoroughly covers:

  • The types of materials that can contain asbestos
  • The legal duty to manage asbestos
  • Safe work practices
  • Control limits
  • Accidental release and decontamination procedures
  • The uses and limitations of respiratory protective equipment and personal protection equipment

Why is asbestos awareness training essential?

To avoid disturbing asbestos, you must be able to spot it.  Well-informed employers understand how to reduce or eliminate the risks to their employees’ health and to stay inside the law.  Employees who are asbestos aware will be able to assess the risks on an ongoing basis, knowing when to protect themselves and how they would deal with contamination.

For further information on our Asbestos Awareness Course, visit our website or get in touch to book your place.

How Will the GDPR Affect Children’s Data Processing?

“The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’…”

The GDPR will bring in special protection for children’s personal data, particularly where it is used for information services such as online shopping, live or on-demand streaming services and for social networking.  The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’, explaining that this is because children ‘may be less aware of the risks, consequences and safeguards’ of handing over their personal data.  The regulation says that this is particularly the case when services are offered directly to a child and when their personal data is used for marketing and creating online profiles. If your company processes children’s personal data, here are the changes that will affect you:

Age of consent

“…the person with parental responsibility must give their consent for a child under 16 to share their personal data.”

Under the current Data Protection Act, a child of any age can give their personal data away online without parental consent.  This will change under the GDPR, which defines the age of consent as 16.  The GDPR states that the person with parental responsibility must give their consent for a child under 16 to share their personal data.  Data controllers are required to make ‘reasonable efforts’ to verify parental consent.

NOTE: Recital 38 states that parental consent is not required for counselling services offered directly to a child.

Member states may choose to change the age of consent from 16.  The UK government is planning to lower the age of consent to 13.  This won’t have too much impact on children’s social networking because children under 13 are already excluded from social networking sites such as Facebook and Snapchat.  However, under the new regulation organisations are likely to have to verify the ages of their subscribers, which they don’t have to do presently.  For services aimed at under-13s, organisations will have to prove that they have received parental authorisations.

Privacy notices

“Privacy notices for children must be…concise, transparent and in plain language.”

Privacy notices for children must be as transparent as those written for adults – the GDPR’s Article 12 says the information provided to data subjects must be concise, transparent and in plain language. Just like adults, children must know the identity of the data controller and how their personal data will be processed. They must also be made aware that they can withdraw their consent to data processing at any time (see the previous blog post ‘What will consent mean under the GDPR?’ for more information).  When writing privacy notices aimed at children, data controllers must take account of the specific age group of their audience so that they write in clear language that the child can easily understand.

Can you justify processing children’s data under GDPR rules?

“…the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.”

GDPR Article 6 (1) (f) says that the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.  Data controllers must make sure they have documentation to show that they have carefully considered this.  When we look at the GDPR definitions of ‘legitimate interests’, we can see that processing children’s data is unlikely to be necessary for most of these purposes.

Legitimate interests include:

  • processing for direct marketing purposes or preventing fraud – Recital 47
  • transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee – Recital 48
  • processing to the extent strictly necessary for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems – Recital 49
  • reporting possible criminal acts or threats to public security to a competent authority – Recital 50.

Codes of conduct

“It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.”

GDPR Article 40 requires member states to create their own codes of conduct. This includes safeguarding children’s data, specifically the way in which consent is gained and documented.  It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.

How can my organisation plan for changes?

Start by ensuring that:

  • you watch for the publication of codes of conduct that might impact your data processing
  • you implement appropriate parental consent mechanisms, including verification processes
  • where you offer services directly to a child, the notices are written in child-friendly language
  • any reliance on ‘legitimate interests’ to process children’s data is supported by carefully documented evidence to show that the child’s interests don’t override those of your organisation

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0333 939 8797 or email us at info@ndcmanagement.co.uk.   

What Will ‘Consent’ Mean Under the GDPR?

“Under the GDPR the definition of consent is clearer and more rigorous…”

The current Data Protection Act (DPA) and the GDPR both state that every organisation that processes personal data must have a legal basis for doing so; ‘consent’ is just one choice. If consent is your chosen legal basis then you need to be aware of differences between the current DPA and the GDPR.  Under the GDPR the definition of consent is clearer and more rigorous in order to ensure a consistent approach across the EEA.

The definition of consent in Article 4 (11) of the GDPR is: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’  Let’s look at some of the words and phrases in detail:

Freely given

“…data subjects must provide consent of their own free will and must never be misled…”

Current Data Protection guidance states that data subjects must provide consent of their own free will and must never be misled or somehow negatively impacted by refusing consent. The GDPR formalises this, stating the consent is not deemed as freely given when:

  • ‘the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment’ (Recital 42).
  • ‘there is a clear imbalance between the data subject and the controller’ (Recital 43). This especially applies when the data controller is a public authority with power over the data subject.

Recital 43 says that consent is not deemed to be freely given if the provision of a service is conditional to the data subject agreeing to have their data processed in ways that are not necessary to that service. The reason is that the data subject has no choice but to agree to this unnecessary processing.  Recital 43 also says that consent is not freely given if separate consents are not obtained for different data processing operations.  ‘Bundled’ consents are usually invalid.


“A general consent to unspecified processing operations will normally be invalid.”

Consent must be specifically obtained from the data subject for each and every personal data processing operation. A general consent to unspecified processing operations will normally be invalid.  There are exceptions to this such as when data processing is for scientific research.


“…data subjects must be informed of their right to withdraw consent …”

The GDPR states that:

  • ‘the data subject should be aware at least of the identity of the controller and the intended purposes of the processing’ – Recital 42.
  • ‘data subjects must be informed of their right to withdraw consent at any time prior to giving consent’ – Article 7 (3)

Unambiguous…clear, affirmative action

“…pre-ticked boxes and silence do not constitute consent.”

Under the current DPA, consent must be unambiguous. The GDPR takes this further.  Consent requires a clear affirmative action – pre-ticked boxes and silence do not constitute consent.  Clear affirmative action could be obtained in writing which includes electronic forms, or it can be oral.  Obviously oral consent makes it more difficult to prove that consent has been obtained.  Online forms should be written in plain language so that there is no question that the data subject understands what they are agreeing to.  Where consent is included in terms and conditions then it must be presented so that it stands out from the rest of the document.

The right to withdraw

“Organisations must make it easy to withdraw consent…”

GDPR Article 7 (3) says that data subjects must be able to withdraw their consent at any time. They must be informed about their right to do that at the time of granting consent.  Organisations must make it easy to withdraw consent, therefore if your company relies on consent as their legal basis you need to make sure that this won’t pose considerable challenges.

‘Explicit’ consent

“…explicit or express consent is given in writing with a handwritten signature.”

Where the GDPR sets out the legal requirements for sensitive data it uses the term ‘explicit consent’ rather than just ‘consent’. Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or criminal offences. The GDPR doesn’t define the difference between ‘explicit consent’ and ‘consent’. Therefore you could take the advice of the Article 29 Working Party in Opinion 15/2011 who consider that: ‘…explicit or express consent is given in writing with a handwritten signature.  For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data’.

How can my organisation prepare for changes to consent?

If you are relying on consent as the basis for lawful processing make sure that:

  • consent doesn’t rely on silence or pre-ticked boxes
  • consent is specific to each type of processing that you carry out
  • consent isn’t embedded within other documents like your terms and conditions, but stands out
  • the supply of your service isn’t on the condition of data subjects supplying consent for processing activities that are not necessary to your service
  • data subjects are clearly informed that they can withdraw consent at any time
  • methods for withdrawing consent are easy to use
  • separate consents are obtained for each processing operation
  • consent is not the legal basis for processing personal data when there is an imbalance between the data subject and data controller.

Final point: make sure that you are aware of all types of legal basis for processing data. Under the GDPR, using ‘consent’ as your legal basis for processing personal data is not always the easiest or best option.

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0844 826 6006 or email us at info@ndcmanagement.co.uk.   

5 Benefits of Task-based Risk Assessment

Risk assessment is a fundamental health and safety requirement in any type of organisation. When it comes to the manufacturing and engineering industries though, the value of task-based risk assessment goes beyond meeting legal requirements and keeping workers safe. Here are five reasons to include task-based risk assessment in your organisation’s core training programme.

1. It’s good practice

Task-based risk assessment forces the assessor to understand each step involved in a work-based task or process, and to examine all aspects of the activity being assessed, such as:

  • the task itself
  • the environment in which it takes place
  • the people that the task affects
  • the maintenance requirements of the equipment and plant involved.

This systematic exploration of an activity is both proactive and thorough. It give the assessor an understanding of the risks involved in any given task, and of how wider organisational systems and processes impact on that task.

2. It’s inclusive

It’s impossible to conduct task-based risk assessment without directly involving the employees that carry out the task in question. This brings a number of benefits:

a) Tests if your policies and processes translate directly in practice. Assessing a task allows you to see exactly how it is carried out on the ground. Employees that perform the task can give valuable insight into why written procedures might not be practical or safe in reality. Where unsafe working practices have become the norm, the assessor has the opportunity to discuss with workers which alterative safe methods could work in practice.

b) Encourages employee buy-in. When employees feel consulted, they generally feel more motivated to engage. Staff that have contributed to a risk assessment process are far more likely to adhere to the assessments recommendations.

c) Encourages a positive reporting culture. Employees are morel likely to report potential risks if their observations are acted upon, and they feel that they are contributing to wider organisational goals.

3. It highlights quality and operational issues

Because task-based risk assessment looks into whole processes, it can identify wider quality and operational issues within your organisation. Involving your quality or continuous improvement managers in the task-based risk assessment process can help to meet wider strategic aims and improve communication across functions.

4. It reduces costs

Once embedded within your organisation, task-based risk assessment, and an associated training programme, can help reduce health and safety costs by:

  • proactively identifying and preventing risks
  • improving working practices
  • reducing insurance premiums and litigation fines — providing evidence of your task-based risk assessment training programme and practices can increase eligibility for premium discounts and leaner fines in the event of a compensation claim.


5. It drives continuous improvement

Task-based risk assessment requires that you review risk whenever there is a significant change to the task (equipment, personnel, environment, materials used, etc.). This approach to risk management demonstrates a commitment to continuous improvement in your health and safety practices. This is not only good practice in itself, but also meets the criteria for standards such as OHSAS18001, the new ISO45001, and ISO9001: 2015.

Are you ready to train your team?

NDC is the only provider of the IOSH approved Task-based Risk Assessment training course. Our 5-day course offers the knowledge, skills and practical application of task-based risk assessments for:

  • general risks
  • CoSHH
  • display screen equipment (DSE)
  • manual handling operations
  • work at height.

We deliver the course on your premises so that delegates have the opportunity to practice risk assessment techniques in their working environment. This is an assessed course — successful delegates receive an IOSH-approved Task-based Risk Assessment certificate upon completion. All course participants receive a workbook to help them put their learning into practice after the course.

For further information or to book a course, contact us on 0844 826 6006 or info@ndcmanagement.co.uk.

What Are the Benefits of ISO 27001 for My Organisation?

ISO 27001 is the internationally recognised standard for controlling risks to your information security management system (ISMS). ISO 27001 sets out standardised requirements which help you to implement, operate, maintain and improve your ISMS. If you become ISO 27001 certified you prove to clients and other stakeholders that you are a responsible organisation that takes every possible measure to manage information security risks.

What are the risks to information security?

Potential security threats include:

  • cyber crime
  • fire/damage
  • loss
  • misuse
  • personal data breaches
  • terrorism
  • theft
  • vandalism
  • viral attack

How can ISO 27001 certification help my organisation to manage these threats?

“…keeping the UK safe from cyber-attacks is now as important as fighting terrorism.”

A water-tight information security management system is vital for the survival of any organisation. Gaining ISO 27001 certification involves putting in place the technical and operational requirements necessary to manage and protect all your valuable data from security threats. An ISO 27001 certified ISMS provides an effective framework for identifying risks and threats as well as establishing appropriate controls for eliminating or minimising these threats.

Every information security management system must effectively control who has access to information at any given time. ISO 27001 provides a framework to make sure authorised users can get access to information whilst at the same time preventing unauthorised users from accessing data. If a data breach was to occur, this framework would enhance your organisation’s recovery operations.

By implementing ISO 27001 you are sending a clear message to everybody in your organisation that information security is your top priority. Increasing awareness in this way helps to set a security mind-set throughout your company, reducing the likelihood of employee related breaches.

What are the other benefits of ISO 27001 certification?

Protect your reputation

In a BBC news report dated 9th October, 2017 the head of the intelligence monitoring service GCHQ said: ‘…keeping the UK safe from cyber-attacks is now as important as fighting terrorism’. There’s no doubt that cyber-attacks are becoming more frequent and stronger by the day, causing financial and reputational damage to organisations everywhere. Therefore it’s more important than ever to meet ISO 27001 standards.

More customers!

ISO 27001 builds trust. Your clients, employees and stakeholders have the right to expect that their private information is protected. ISO 27001 standards are a blue-print for the policies and procedures that help to set everybody’s minds at rest. Not only will you keep your existing clients happy but you could also have a business advantage over competitors who are not ISO 27001 accredited.

Avoid fines

Under the GDPR, which comes into force in May, fines for data breaches can be up to 20 million euros or 4% of annual turnover – whichever is higher.   ISO 27001 is the accepted global standard for information security management systems ensuring that you are compliant with the new regulation, avoiding costly financial penalties. The standard selects the right and proportionate security controls for your ISMS so that you meet all legal requirements including GDPR, the NIS Directive and UK cyber security laws.


When a business grows very quickly in a short space of time there can be confusion about who is responsible for which information assets. ISO 27001 helps businesses to organise this aspect by clearly setting out all the information risk responsibilities.

Fewer audits

ISO 27001 certification is accepted proof of effective security. Therefore, the standard saves you time and money by reducing the number of external customer audit days that you need.

Independent advice

As part of your ISO 27001 certification, an external auditor will undertake regular reviews of your ISMS to ensure that there is continual improvement and that everything is working correctly. Therefore you will always feel confident that your ISMS provides the security necessary to protect your organisation’s data.

Is ISO 27001 appropriate for my type of business?

“The standard is especially suitable for organisations that process large quantities of personal or sensitive data…”

Yes. ISO 27001 certification is suitable for organisations of every size, across every sector. The standard is especially suitable for organisations that process large quantities of personal or sensitive data such as public and IT sectors, health bodies, and financial and banking organisations. It’s also the recognised standard for organisations that manage high volumes of data or manage information on behalf of other companies.

Can ISO 27001 be integrated with other management systems?

“Integrating your management systems brings substantial business benefits…”

ISO 27001 can be fully integrated with other ISO management systems, such as ISO 9001 quality management system, OHSAS 18001/ISO 45001 and ISO 14001 environmental management system. Integrating your management systems brings substantial business benefits, such as:

  • increased organisational efficiency and effectiveness
  • reduced costs
  • reduced disruption due to fewer external audits
  • demonstrates your commitment to performance, employee and customer satisfaction, and continuous improvement.

What are the steps to ISO 27001 certification?

ISO 27001 involves the following steps:

  1. A gap analysis to find out how your existing information security management system compares to the ISO 27001 standard.
  2. A formal assessment. Your external auditor will review which controls and procedures have been established following the gap analysis, pointing out any further gaps that need addressing.
  3. Your auditor will assess the implementation of the procedures and controls that you’ve established to make sure they work effectively enough to meet ISO 27001 certification standards.
  4. You receive an ISO 27001 certificate which is valid for three years. Your auditor visits regularly to ensure that you remain compliant with legislation and that your information security management system continually improves, adding value to your business. 

How can NDC help you to achieve ISO 27001 certification?

NDC Global Auditors’ team of qualified lead assessors have extensive experience in auditing to ISO standards in a number of industry sectors and their supply chains. Our ISO 27001 lead assessors can support your company at every step of the implementation process and provide follow-up consultancy support to facilitate continual improvement.

Our services include:

Consultancy and training

  • gap analysis and action-planning
  • Switch on/switch off consultancy support throughout the implementation process
  • training for every step of the certification process:
  • developing effective policies, audit checklists and protocols
  • third-party assessment
  • follow-up consultancy support to facilitate continual improvement.
  • Support to integrate ISO 27001 with other ISO standards such as ISO 9001, OHSAS 18001/ISO 45001 and ISO 14001.

Technology to support ISO 27001

Our partners at Soitron UK can also support you to build the IT infrastructure to facilitate ISO 27001 and GDPR compliance. Their technical experts can test your existing system for weaknesses and support you to develop IT and cyber security systems that are robust and compliant.

Contact us to discuss how we can support your organisation to implement ISO 27001.

How Will the Rules for Subject Access Requests (SARs) Change Under the GDPR?

The rules for making a subject access request (SAR) under the GDPR will be similar to the Data Protection Act 1998. However, there are key differences.   With less than six months until the GDPR comes into force, it’s time to make sure you can meet new requirements to be legally compliant.

What is a subject access request (SAR)?

A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully.  SARs must be made in writing. Individuals can ask:

  • why their data is being processed
  • what categories of personal data are held about them
  • who has received or will receive their personal data
  • where the data came from if they did not give it to you.

How will GDPR changes to subject access requests affect my organisation?


At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’.  However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’.  As the guidance isn’t specific, that’s difficult.  The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.

Response Time

The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request.  The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision.  You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.

Electronic Access

If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise.   Before sending out electronic information you must verify the individual’s identity.  As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.

Content of Response

When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.

Right to Withhold

The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments.  The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.  In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.

How can my organisation prepare for changes to SARs?

    1. Create a subject access request template. That way, individuals will always provide the information you need to respond consistently and efficiently to SARs.
    2. Write and implement policies and procedures for handling SARs, making sure that the new shorter response times are incorporated.
    3. Make sure that your staff are trained to handle SARs so that they can identify them when they come in and respond correctly.


Final point: The key change most likely to affect your organisation is reduced response time.  As the GDPR only allows you one month to respond to subject access requests you might consider implementing a ‘data subject access portal’.  This will enable individuals to access their personal data promptly, remotely and easily ensuring that subject access requests are GDPR compliant.

How can NDC help?

Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can:

  • design a subject access request template that meets GDPR requirements and works in practice within your organisation
  • design policies and procedures that handle SARs in line with GDPR requirements, including meeting the shorter response times
  • train your staff to identify and handle SARs swiftly and correctly
  • develop your IT systems to facilitate SARs processing and all other GDPR requirements.

Contact us for further information on how our consultancy and training services can support your business to prepare for GDPR.