General Data Protection Regulations


We take data security & privacy seriously and believe that the GDPR is a crucial step forward for clarifying and enabling individual privacy rights. We are committed to maintaining compliance with the GDPR.

We have taken the decision to certify our information security management system to the requirements of ISO27001:2013.

By gaining certification to ISO27001:2013, we can ensure that the appropriate controls for the management of information are in place and that we are working to meet our legal and regulatory requirements, including those outlined in the GDPR.

As part of this process we have completed both a companywide information classification assessment and privacy impact assessment. These have allowed us to understand the data we hold in every part of the business (both our own data and your data), the level of protection required for the data and how we can implement further controls to reduce the likelihood of an incident impacting these assets in the future.


Banyard Solutions Ltd operates and maintains an Information Security Management System (ISMS) to control its information assets appropriately. Certification to the information security standard ISO 27001 will be achieved within the next two-three months.

Our ISMS is a systematic and pro-active approach to effectively manage risks to the security of your company’s confidential information. The system promotes efficient management of corporate information, identifying vulnerabilities to ensure it is adequately protected against potential threats. It encompasses premises security, people, process and IT systems.

We implement human, organisational and technological security controls to protect information assets (including personal data) from unauthorised access, unwanted disclosure, modification, theft/loss, denial of service attacks, or any other threat.

We have implemented internal policies and procedures that support the ISMS as part of our ISO9001:2015 management system and new ISO27001:2013 system. These are independently audited by our certification body through an ongoing audit process consisting of two external visits per year, which comprises an internal review (carried out at the 6-month stage), and an annual re-certification audit to ensure we comply with the requirements of the standard.

The ePermits system and supporting infrastructure are also audited through ongoing monitoring and testing using vulnerability scanning, asset management and penetration testing software and by external security consultants.

The ePermits system is hosted in a scalable cloud computing platform designed for high availability and redundancy.

End-to-end security and privacy are built into the system in accordance with security best practices, privacy by design requirements and appropriate security controls such as multi-factor authentication, data encryption in transit and at rest.


Are you a Data Processor or Controller?

Banyard Solutions Ltd act as a data processor for our customers, we process personal data, such as name and email address on your behalf in accordance with the contracted terms & conditions.

Banyard Solutions Ltd act as a data controller for our own data, meaning we determine the purposes and means of the processing of personal data, such as name and email address for the purposes of sending information about our products and services.

Do you perform Privacy Impact Assessments? (PIA’s)

We perform risk assessments, including PIA’s, in accordance with the ISO27001:2013 standard. These address the confidentiality, integrity and availability requirements of all personal data handled by Banyard Solutions Ltd.

This includes a full assessment of what data we hold, where this information is located, the risks involved with processing this information and the controls necessary to address the associated risks.

How will you handle subject access requests (SAR)?

As a Data Controller for our own data, we will verify the identity of the individual making the request and confirm if their data is being processed. We will provide access to the data and any supplementary information within one month from receipt of the request.

As a Data Processor working on behalf of our Customers we are not able to process SARs on your behalf. If we receive a SAR from one of your employees or contractors, we will forward the request to you. Once you verify the identity and confirm their personal data is being processed, we will assist you making the data available.

How do you process data portability requests?

As a Data Processor working on behalf of our Customers we are not able to process data portability requests on your behalf. We provide you with tools inside the system to extract information in commonly used file formats.

What happens in the case of a data breach?

Banyard Solutions Ltd are registered with the ICO. Under the GDPR, we are required to report data breaches to the ICO within 72 hours.

As part of our information security incident management procedure, appropriate communications will be made, including notifications to all affected parties.

How do you ensure you meet with the privacy by design requirements?

As part of our information security management system, we have implemented system development principles to ensure that whenever we develop or introduce new systems, privacy and security requirements are considered at every stage.

Where is my data stored?

Customer data is stored in the UK and does not leave the UK.


The GDPR is a new regulation which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union, aiming to give control back to citizens and residents over their personal data. The GDPR replaces the current Data Protection Act and comes into effect from 25th May 2018. To comply with the GDPR, we have imbedded the following six principles within our operations:

1. Lawfulness, fairness and transparency

Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]. Fair: What is processed must match with how it has been described. Transparency: Tell the subject what data processing will be done.

  • As a controller, we process personal data we collect in a fair, lawful and transparent manner; and in accordance with individuals’ rights.
  • As a processor, we will only process the personal data you have given us or have entered into the system.

2. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.

  • As a controller, we will only collect personal data for specified, explicit and legitimate purposes. Data we collect will not be used for any other purposes other than what you as the data subject(s) have been made aware of.
  • As a processor, we will only process personal data you have given us or enter into the system for the purpose of providing you our service.

3. Data minimisation

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. i.e. No more than the minimum amount of data should be kept for specific processing.

  • As a controller, we will only collect personal data that is needed, adequate and relevant for the specific purpose.
  • As a processor, you are responsible for ensuring that the data you hold in the system is limited to what is needed, adequate and relevant for the specific purpose.

4. Accuracy

Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Data holders should build rectification processes into data management / archiving activities for subject data. 

  • As a controller, we will ensure that personal data we collect is accurate, kept up to date and correct.
  • As a processor, you are responsible for ensuring that the data entered into the system is accurate and kept up to date.

5. Storage limitations

Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. Data no longer required should be removed.

  • As a controller, we will only keep personal data we collect for as long as it is needed, and you have the right to request your individual data is permanently deleted.
  • As a processor, you are responsible for ensuring that personal data entered into the system is removed when no longer needed. If you stop using the system, we will return your data and permanently delete all personal data held in the system on your behalf.

6. Integrity and confidentiality

Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].

  • As a controller, we will process all personal data we collect in a manner that protects it against unwanted modification, disclosure or unlawful processing.
  • As a processor, we will use a risk-based approach to ensure our systems have the appropriate technical and organisational controls to safeguard the integrity and confidentiality of the personal data you give us.