EU General Data Protection Regulation (GDPR) 2018

The law is changing and on May 25th 2018 the EU General Data Protection Regulation (GDPR) comes into effect. apd business management is a global organisation and for us it is important that the personal information of our customers and our own people is handled in accordance with GDPR.

The new regulation replaces various existing directive and national legislation policies and brings a degree of consistency to the data protection regulation in Europe. This is setting the benchmark for other regions and many countries are following suit with equivalent arrangements. GDPR embodies the well-recognized privacy principles of transparency, fairness, and accountability. GDPR also seeks to introduce a risk-based approach that enables innovation and participation in the global digital economy while respecting individual rights.

As part of our continuous focus on information security and data privacy we have prepared for GDPR and set out here how we have achieved compliance:

Policies and procedures

Reviewed standards and processes to define the personal information lifecycle and help ensure data transparency, accuracy, accessibility, completeness, security, and consistency. Our Privacy Policy reflects GDPR requirements and sets the context for how we obtain, store and use information relating to our customers and our own people.

Privacy by Design

Integration of data protection, privacy, and security requirements into product design and development methodologies. Privacy requirements are embedded in the development cycle from ideation, through engineering to launch and validation.

Information Security

Reviewed and improved our information security framework, ensuring that incident response processes remain effective and that confidentiality, integrity and availability of personal information is assured through appropriate technical and organizational measures

Information Governance

Our data has been audited to categorise what we have, what we are doing with it, where it is, where it flows, and who has access to it. Data types are classified, with retention periods defined and built into systems and processes.

Subject access requests

Our Subject Access Request (SAR) process has been reviewed and enhanced. Any Subject Access Requests should be raised with the nominated Data Protection Officer who will follow the process to issue a SAR form to the Data Subject. Our legal team will support us through each SAR journey to ensure we are acting as required by GDPR.

Lawful basis for processing personal data

The lawful bases in the GDPR are broadly the same as the conditions for processing in the Data Protection Act. We have reviewed our legal basis for processing data both as a Data Controller and as a Data Processer and these are defined both in our data audit documents and on our privacy statements in our corporate and product websites.


Consent to process personal data must be freely given, specific, informed and unambiguous, it must also be separate from other terms and conditions. On our product websites, our privacy statements are promoted to users to ensure we are being transparent about what data we hold and what we do with it. At the point of data submission, users can tick a box explicitly requesting to be contacted. The personal data captured through our product websites is the minimum required to securely validate a user account, and to enable us to contact them if they require support. The personal data we collect from our staff is a legal requirement of employment. Our privacy statements make clear that in each case, that we have a valid legal basis for collection and processing and personal data is not used for profiling/marketing purposes and is not resold to third parties or made publicly available.


Where does apd business management store personal information?

apd business management is based in the UK and our products make use of industry-standard security and hosting operating from West Europe, with Microsoft Azure cloud platform.

How can I request access to my personal information?

Within our product websites our customers can access their personal information and data via their account login under the My Profile section. If you have a specific request for personal information, please review the privacy policy and contact our data protection team for details about our subject access request process. If you are based in an EU or EEA country, you can also contact our Data Protection Representative in Germany. We will need to authenticate your identity to ensure we handle any request securely

Where can I find more information on apd business managements’ privacy policy?

You can read our full privacy policy statement here