GDPR Statement

Please contact us with questions about our GDPR Statement. 

1. Purpose of this statement:

The General Data Protection Regulation (GDPR) comes into force in the United Kingdom on 25th May 2018, and represents a significant overhaul of data protection law. It strengthens the rights of data subjects in relation to the use that governments, businesses and other organisations can make of their personal data, and imposes new legal obligations on those organisations about how they hold and process personal data relating to their staff, customers, suppliers and other stakeholders.

Crawford HR (‘We’) takes privacy very seriously, and has undertaken an extensive GDPR-readiness programme using both GDPR-trained internal resources and specialist external advisers. The purpose of this statement is to inform our clients about the steps that we have been taking by way of preparation.



2. Information and Security Audit:

We have undertaken an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used. We have also undertaken a security audit to ensure that, where we hold and process personal data, there are appropriate technical and organisational measures in place to ensure that the data is protected. Our findings have been documented in order to help us comply with the GDPR’s accountability requirement.



3. Lawful Basis of Processing:

The GDPR states that the processing of personal data is only lawful if it is done under one of the defined “lawful bases”: these include, for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organisation’s “legitimate interests”.

On the basis of the output from the information audit, Crawford HR has identified an appropriate lawful basis for each kind of processing that we undertake, and these are documented in our privacy notices.



4. Privacy Notices:

Our privacy notices have been updated to ensure that data subjects are properly informed about all the details that GDPR requires us to notify them about, such as the identity and contact details of Crawford HR as the controller of the personal data; the contact details for the person responsible for data protection within the organisation; the purposes of the processing, and the lawful basis for it; the “legitimate interests”, where this is the lawful basis of processing on which we are relying; and the existence of the data subject’s right (a) to request access to the personal data, (b) to request rectification or erasure of personal data, (c) to request that the processing is restricted, (d) to object to the processing and (e) to data portability.



5. Internal Policies and Procedures:

We have developed and implemented a number of new policies and procedures to ensure that we are able to respond efficiently to data protection issues. These include a new Privacy Policy which directs staff as to how personal data should be used, along with procedures for dealing with:

  • Subject access requests
  • Requests from data subjects to exercise their other rights under the GDPR, such as the “right to be forgotten” and the right to have inaccurate data rectified
  • Personal data breach incidents
  • Objections to direct marketing.



6. Client Agreements:

We have developed a Data Protection Addendum to our standard terms of engagement, that addresses the GDPR’s requirements about contracts between data controllers and data processors where we are handling personal data on behalf of a client. In summary, the Addendum provides that:

  • We will only process the personal data on the client’s written instructions;
  • We will ensure that all personnel with access to the personal data treat it in confidence;
  • We will put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing, and against accidental loss, destruction or damage;
  • We will not engage a subcontractor as a third-party processor of the personal data without the client’s approval;
  • We will assist the client in responding to requests from data subjects and in ensuring compliance with certain of the client’s other obligations under data protection law;
  • We will delete or return personal data on termination of the relevant engagement;
  • We will keep complete and accurate records and information to demonstrate its compliance, and allow for audits by the client or its representatives, and;
  • We will inform the client if an instruction infringes data protection law.

  • The inclusion of this Addendum means that our clients can be assured that, if Crawford HR processes personal data on their behalf, it is being done on the basis of a contract that meets those requirements.



7. Third Party Processors:

We will do our best to ensure that with effect from 25th May 2018, our contracts with any third-party companies that process personal data on our behalf include the relevant controller-processor clauses.



8. Staff Training:

We have put in place data protection awareness training for all staff. This includes training about the GDPR’s data protection principles and other key aspects of data protection law as it relates to Crawford HR’s business, and as a minimum some essential “do’s and don’ts” in relation to the obtaining, processing and sharing of personal data. Staff need to be aware of the importance of respecting personal data, and of their own responsibilities in this regard.