EU General Data Protection Regulation (GDPR)

At APD, we are committed to maintaining the trust and confidence of everyone who shares their personal data with us by protecting their privacy. As a global organisation, we always ensure that any personal information we receive from clients, visitors and our own people is handled in accordance with the EU General Data Protection Regulation (GDPR), introduced in May 2018.

GDPR embodies the well-recognised privacy principles of transparency, fairness, and accountability. It enables innovation and participation in the global digital economy while respecting individual rights.

As part of our continuous focus on information security and data privacy, we have set out here how we achieve compliance:

All our standards and processes enable us to define the personal information lifecycle and help ensure data transparency, accuracy, accessibility, completeness, security, and consistency. Our Privacy Policy reflects GDPR requirements and sets the context for how we obtain, store and use information relating to our clients and our own people.

Integration of data protection, privacy, and security requirements into product design and development methodologies. Privacy requirements are embedded in the development cycle from ideation through engineering to launch and validation.

We’re committed to continually improving our information security framework to ensure that incident response processes remain effective and that confidentiality, integrity and availability of personal information are assured through appropriate technical and organisational measures.

All data we store is categorised, allowing us to have immediate access to what we have, what we are doing with it, where it is, where it flows, and who has access to it. Data types are classified, with retention periods defined and built into systems and processes.

Our Subject Access Request (SAR) process has been reviewed and enhanced. Any Subject Access Requests should be raised with the nominated Data Protection Officer, who will follow the procedure to issue a SAR form to the Data Subject. Our legal team will support us through each SAR journey to ensure we act as required by GDPR.

The lawful bases in the GDPR are broadly the same as the conditions for processing in the Data Protection Act. We have a valid legal basis for processing data both as a Data Controller and as a Data Processor, and these are defined in our data audit documents and on our privacy statements in our corporate and product websites.

Consent to process personal data must be freely given, specific, informed and unambiguous. It must also be separate from other terms and conditions. On our product websites, our privacy statements are promoted to users to ensure we are transparent about what data we hold and what we do with it. At the point of data submission, users can tick a box explicitly requesting to be contacted. The personal data captured through our product websites is the minimum required to securely validate an user account and enable us to contact them if they need support. The personal data we collect from our staff is a legal requirement of employment. Our privacy statements make clear that in each case, that we have a valid legal basis for collection and processing and personal data is not used for profiling/marketing purposes and is not resold to third parties or made publicly available.